Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Web cache poisoning via an unkeyed query string is making unexpected request.

Arun | Last updated: Jun 13, 2023 06:07PM UTC

In the stated lab when the home page is taken into the repeater, and added with Pragma: x-get-cache-key header & value, the response contains X-Cache-Key: /$$origin=https://gt2p587.com, here the value in the origin is continuously changing with each request made in repeater. Due to this behaviour the X-Cache header never hits. Therefore unable to proceed with the lab. Please note that no origin header is added in the request manually. And even when manual origin header is added, that doesn't make any difference in the behaviour. And also the same domain in the that is reflecting in the origin (here gt2p587) is also getting appended in the response page as a query parameter, notice line no. 15 (<link rel="canonical" href='//0ac700f6032585cb83b519ba007c0034.web-security-academy.net/?gt2p587=1'/>)

Arun | Last updated: Jun 14, 2023 07:01AM UTC

Identified the issue is with the Param miner extension, which is running in the background and continuously changing the origin header. Need to stop the extension manually.

Dominyque, PortSwigger Agent | Last updated: Jun 14, 2023 09:01AM UTC

Hi Arun Thank you for the update! Happy to hear you found what was causing the issue.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.