Burp Suite User Forum

Create new post

Lab: Internal cache poisoning (Unintended Solution)

Hudson | Last updated: Sep 22, 2023 11:17PM UTC

Hello ^^, the lab: https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-internal, has a unintended solution! #) Steps Explanation We can overwrite the Host used dynamically through "X-Forwarded-Host" header. The host is used by the tags "<link> and "<script>" on "href" and "src" attribute. <link rel="canonical" href='//[LAB-ID].web-security-academy.net/'/> <script type="text/javascript" src="//[LAB-ID].web-security-academy.net/resources/js/analytics.js"></script> <script src=//[LAB-ID].web-security-academy.net/js/geolocate.js?callback=loadCountry> The "href" attribute and the "src" attribute that includes the "/js/geolocate.js?callback=loadCountry" file are correctly sanitized escaping HTML Codes, but the "src" attribute that includes the file "/resources/js/analytics.js" doesn't sanitize HTML Codes, making it possible to escape the "<script>" tag and inject HTML/Javascript codes directly through the "X-Forwarded-Host" header #) Video POC https://user-images.githubusercontent.com/96009982/270070692-c047ab0f-4e02-4b08-a0a4-ea08e1d7a96b.mp4

Michelle, PortSwigger Agent | Last updated: Sep 25, 2023 11:15AM UTC

Hi For some of the labs, there can be more than one way to achieve the end result, not just the one documented in the solution :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.