Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: "Web cache poisoning with an unkeyed header" cannot be completed.

Jakob | Last updated: Mar 17, 2020 07:26PM UTC

I cannot get this lab [0] to work properly, even with the official solution. The instructions work perfectly fine for me, and the injected JS is executed in my browser. However, the "victim" never visits the site, so the lab is never cleared. I have tried sending the crafted request every couple of seconds for multiple minutes, so the cache is definitely tainted for multiple minutes. It seems to me that one of two things is going on: 1. The "victim" is not actually running on your end and therefore the lab cannot be finished currently. This would make sense considering the server logs of the exploit server only contain my own IP. 2. The JS alert(document.cookie) does not work, because the server sets the cookie as HttpOnly. All that the JS is bringing up an empty popup. This might mess with the victim code trying to figure out whether the lab was successfully completed or not. [0]: https://portswigger.net/web-security/web-cache-poisoning/exploiting/lab-web-cache-poisoning-with-an-unkeyed-header

Michelle, PortSwigger Agent | Last updated: Mar 18, 2020 09:17AM UTC

Hi We've tried out the solution instructions here and have been able to solve the lab using them. If you'd like to email us some screenshots of the requests and responses you're seeing in Burp Repeater, we'd be happy to take a look through them with you and help figure out what's happening. You can email us at support@portwigger.net.

Jakob | Last updated: Mar 18, 2020 03:23PM UTC

I had Param Miner enabled in the background and all requests had the fcbz=1 cache busting query string added automatically on my machine. As a result, my cached version was actually for "/?fcbz=1" instead of "/". Disabling Param Miner solved the problem for me. Thanks to Michelle for helping me diagnose the issue!

Eli | Last updated: Oct 04, 2020 06:24AM UTC

Thank you SO MUCH for posting your solution. I ran into this exact issue myself. I'd been banging my head against my desk for an hour! Smh... self inflicted. Thanks again!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.