Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Labs: Web cache poisoning not solved

Manuel | Last updated: Jun 07, 2022 08:30AM UTC

I can successfully exploit myself but non of the labs get marked as solved. I've tried the first three web cache poisoning labs.

Ben, PortSwigger Agent | Last updated: Jun 07, 2022 09:20AM UTC

Hi Manuel, Just to confirm, you are referring to the 'Web cache poisoning with an unkeyed header', 'Web cache poisoning with an unkeyed cookie' and 'Web cache poisoning with multiple headers' labs? If so, I have just run through these and been able to successfully solve them using the solutions provided so they do appear to be working as expected. Are you able to provide us with the specific steps that you are taking for one (or all) of the labs so that we can see exactly what you are doing? If it is easier to do this using screenshots then please feel free to send us an email at support@portswigger.net.

Manuel | Last updated: Jun 07, 2022 09:38AM UTC

Hi I'm gonna use the first one 'Web cache poisoning with an unkeyed header' as an example. I do all the steps provided by the solution and I'm successfully able to get a alert(document.cookie) popup on my browser without the cb parameter so just by visiting the default lab URL or clicking "Access the lab". This would mean the the victim should also get that popup since the cache is poisoned. To confirm that I can see in the response from the repeater that I get the poisoned URL for the tracking.js (src="//exploit-xxx.web-security-academy.net/resources/js/tracking.js">) alongside the 'X-Cache: hit' header.

Ben, PortSwigger Agent | Last updated: Jun 07, 2022 10:13AM UTC

Hi Manuel, Are you able to provide us with a screenshot of what you have configured in your exploit server and the final, malicious request that you are sending within Burp Repeater (Step 11 of the solution)? I have uploaded a screenshot, below, to illustrate the malicious request I am sending and my exploit server configuration that is allowing me to successfully solve the lab: https://snipboard.io/Y0ODMy.jpg

Manuel | Last updated: Jun 07, 2022 10:49AM UTC

Hi Here are some screenshots: https://snipboard.io/OyTdej.jpg https://snipboard.io/yWTxcp.jpg

Ben, PortSwigger Agent | Last updated: Jun 07, 2022 11:20AM UTC

Hi Manuel, Thank you for that. A couple of things - firstly, I assume that you have tried issuing the malicious request more than once (in order to keep the cache poisoned just in case the 'victim' user was not visiting the page whilst it was poisoned)? Secondly, do you have any extensions enabled and, if so, which ones?

Manuel | Last updated: Jun 07, 2022 11:41AM UTC

Hi Extensions: Param Miner & Hackvertor I've tried sending the request for about two minutes and still did not get the lab solved. I'm gonna try with the integrated browser.

Manuel | Last updated: Jun 07, 2022 11:51AM UTC

It worked first try when taking the "poisoning request" (X-Forward-Host: exploit-xxx....) and sending it via curl instead of BURP repeater. You may close this issue.

Manuel | Last updated: Jun 07, 2022 12:47PM UTC

There is still a problem with Lab: Web cache poisoning with multiple headers I cant seem to get the lab to be marked as solved. Here is a screenshot. https://snipboard.io/Fx54EP.jpg Upon visiting the URL I get a document.cookie popup. I've been poisoning the cache for two minutes.

Ben, PortSwigger Agent | Last updated: Jun 08, 2022 12:51PM UTC

Hi, Do you still have issues with this particular lab if you disable the Param Miner extension?

Manuel | Last updated: Jun 08, 2022 01:01PM UTC

Hi I was able to solve it by sending the final request (no cache buster param) with cURL instead of burp repeater. This worked for all three labs.

Manuel | Last updated: Jun 09, 2022 08:58AM UTC

Hi When disabling all extensions it also workes.

Ben, PortSwigger Agent | Last updated: Jun 09, 2022 09:05AM UTC

Hi Manuel, Having Parm Miner installed and loaded can have an impact on these labs (depending upon the settings that have been configured within the extension). If you are now able to successfully solve this (and other) labs after you have disabled the use of the extension then that would appear to be the case here.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.