Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab Not Funtioning Well

Nikhil | Last updated: Jul 10, 2020 03:35AM UTC

I am Trying to solve Lab: Exploiting HTTP request smuggling to capture other users' requests.But Always It only contains my own csrf and session cookie . I told you 2 days ago.Please try to solve this lab. i Tried 20 times.SOmetime the comments contain only plain text sometimes contains only my own cookie and csrf and sometime the comments didn't posted

Hannah, PortSwigger Agent | Last updated: Jul 10, 2020 08:59AM UTC

Hi Nikhil This lab is functioning as expected. If you are struggling, we would recommend that you follow a video tutorial.

Nikhil | Last updated: Jul 10, 2020 11:32AM UTC

it contains my own session in comment can you please make a video on it. Please it's my request i tried so many times .Please Help me I did like the video.Please Help me

Hannah, PortSwigger Agent | Last updated: Jul 10, 2020 12:01PM UTC

Hi Nikhil I cannot make a video on it. Carlos's request should begin with "test GET / HTTP/1.1 Host:" if you are following the lab solution. You will need to slowly increase the content-length of the smuggled request until you retrieve the session cookie. I would recommend starting at about 700. Once you have the session cookie, you will need to use that to access Carlos's account to complete the lab.

Nikhil | Last updated: Jul 10, 2020 12:17PM UTC

hiGET / HTTP/1.1 Host: ac5c1fcc1eb1ea4a8071ef100011006c.web-security-academy.net Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Cookie: victim-fingerprint=J2dPuG7Fap0njQZfygZGNQJW5OhSJFWa; secret=EtDCk37O8yUAMgfjj2T6bvESRx74hEwZ

Nikhil | Last updated: Jul 10, 2020 12:18PM UTC

I got this Can you tell me it is the thing i am looking for If yes please tell me how to use it i copied the whole cookie parameter but the lab didn't solved

Hannah, PortSwigger Agent | Last updated: Jul 10, 2020 12:48PM UTC

You are looking for Carlos's "session" cookie.

Nikhil | Last updated: Jul 10, 2020 12:59PM UTC

hiGET / HTTP/1.1 Host: ac5c1fcc1eb1ea4a8071ef100011006c.web-security-academy.net Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Cookie: victim-fingerprint=J2dPuG7Fap0njQZfygZGNQJW5OhSJFWa; secret=EtDCk37O8yUAMgfjj2T6bvESRx74hEwZ; session=s5Rv72LYtmunhhsQYXyRobRMxXQIZMYm i was near it but lab session expired

Hannah, PortSwigger Agent | Last updated: Jul 10, 2020 01:40PM UTC

Looks like you're almost there. Good luck.

Nikhil | Last updated: Jul 10, 2020 01:57PM UTC