Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Web cache poisoning via ambiguous requests

Antonin | Last updated: Jun 22, 2024 11:05AM UTC

Hi, When I try adding a duplicate Host header in this lab, I get a 404 status code. The solution reads: "Notice that if you add a second Host header with an arbitrary value, this appears to be ignored when validating and routing your request." That is not true. Adding a second Host header prevents the client from receiving a 200, either from the cache, or the server. Is something off with the lab?

Ben, PortSwigger Agent | Last updated: Jun 24, 2024 07:34AM UTC

Hi Antonin, I have just run through this lab and it still appears to be functioning as expected and can be solved with the written solution. Are you able to provide some details of what the request that you are trying to send looks like so that we can see this exactly (a screenshot would be useful).

KTM | Last updated: Jun 24, 2024 06:32PM UTC

I stumbled on this same issue and eventually created a new `Get` request from the browser and noticed the second host now worked. Comparing and testing both requests it appears with the addition of the `Cookie: session:...; _lab:...` header the request now worked with the added second Host. Why this is, I have no idea.

Antonin | Last updated: Jun 29, 2024 07:07AM UTC

Hi all, Thank for the input. So, the GET request I send that gets me a 200 is: GET /?cb=1234 HTTP/1.1 Host: 0ac5006f03331234837cb9b800620031.h1-web-security-academy.net When performing the SAME request with a duplicate Host header along with an arbitrary value (as suggested by the instructions), I get a 403 (and not 404 as originally/wrongfully stated in my post). GET /?cb=1234 HTTP/1.1 Host: 0ac5006f033341fe837cb9b800620031.h1-web-security-academy.net Host: abcd.com I tried with and/or without the cache-buster, it didn't make a difference. I tried all kind of values for the Host header -- none worked. As @KTM suggested, refreshing the page generates a new GET request for / in Burp Proxy. This GET request contains the _lab cookie. As @KTM rightfully stated, adding a second Host header now works. I would suggest the solution to be amended to reflect this behavior and prevent anyone from trying to troubleshoot this. https://snipboard.io/nsy2da.jpg https://snipboard.io/MvBD4k.jpg

Ben, PortSwigger Agent | Last updated: Jul 01, 2024 09:54AM UTC

Hi both, I think a slight adjustment to the written solution that perhaps mentions clicking the 'home' link on the main page (which would then generate the request with the cookie) and then manipulating that request would be sufficient for the solution - do you agree? If so, I will raise a request with the content team to add this to the solution.

Antonin | Last updated: Jul 23, 2024 04:09AM UTC

Hi Ben, sorry for the late answer. Agree, that would be sufficient to prevent anyone from encountering the same "issue".

Ben, PortSwigger Agent | Last updated: Jul 23, 2024 07:56AM UTC

Thanks Antonin, I have now raised a request with the content team to alter the written solution slightly so that we have this recorded as something that should be carried out.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.