Burp Suite User Forum

Create new post

Password Reset Poisoning via Dangling Markeup

Johnathon | Last updated: Apr 01, 2021 07:09PM UTC

This lab is not working for me at all. I'm following a video online and doing the steps exactly but when I try to add a port it says 504 Gateway Timeout. OR it says bad request CRSF token expired or something along those lines. I have no idea what's going on considering I'm following a video step by step and the person making the video is having no problems but I am. Pleas help!

Michelle, PortSwigger Agent | Last updated: Apr 05, 2021 10:58AM UTC

Thanks for your message.

In step 5 of the solution, what have you tried adding as the port on the host header?

kairosdev | Last updated: Apr 05, 2023 09:25AM UTC

I got the same problem. This is my request: POST /forgot-password HTTP/2 Host: 0a3100a703b733a780cdd52400fa00cc.web-security-academy.net:hacker Cookie: _lab=47%7cMC0CFQCL6IcyaBnM0GrEL1zIQkqg%2fteaDwIUU%2biYTc2T54NDrtGawipupNvDKQPGAfQQCGXFTotT8OKtihw96oawAJ7JLwhjGtWmsiwaP7sa1MhcvvJh6IFjta51TYETB8wKt7f2Qam8CBpEL0QdsiBCM%2b1RWgIdhiJSu4xr8TalpeUF; session=r1xN2ML6ZSViYVUBgLnBDcBiHW20jJ50 Content-Length: 53 Cache-Control: max-age=0 Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://0a3100a703b733a780cdd52400fa00cc.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a3100a703b733a780cdd52400fa00cc.web-security-academy.net/forgot-password Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 csrf=7aAzgeyHrTkdDrYzq748qCQu1SRmjRRl&username=wiener And this is the response: HTTP/2 400 Bad Request Content-Type: application/json; charset=utf-8 Set-Cookie: session=kqlNjqyXCMdgGlG7H5hcI5WbGpMRl7M8; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 60 "Invalid CSRF token (session does not contain a CSRF token)"

Ben, PortSwigger Agent | Last updated: Apr 07, 2023 08:34AM UTC

Hi Kairos, Are you seeing the request that contains the payload being 'kettled' within Burp?

kairosdev | Last updated: Apr 08, 2023 05:36PM UTC

Sorry, what do you mean by being "kettled"?

Nstderr | Last updated: Apr 09, 2023 09:33PM UTC

In repeater, it should say the request was kettled. Burp automatically changing the protocol to HTTP/2 caused the csrf issue and kettling for me. Disabling this in settings (Network>settings>http>uncheck "Default to HTTP/2 if the server supports it"), fixed the csrf issue for me.

Ben, PortSwigger Agent | Last updated: Apr 10, 2023 09:16AM UTC

Hi, We have recently made the change so that the labs support HTTP/2. This has had an impact on some of the labs and we have a requirement to update some of the solutions so that they reflect this change (some additional steps might be required). It looks as though this lab is affected by this change so I will pass this on to the wider team so that we can address it in due course. As noted, you should be able to solve the lab by disabling Burp using HTTP/2.

kairosdev | Last updated: Apr 13, 2023 05:44PM UTC

I've already change settings (Network>settings>http>uncheck "Default to HTTP/2 if the server supports it") and I still got the same error. BTW this is in Community Edition, because in the Professional version there's not any Settings option.

Ben, PortSwigger Agent | Last updated: Apr 14, 2023 07:33AM UTC

Hi Kairos, You would also need to alter this within the Proxy Listener - in the later version of Burp, if you click the 'Proxy settings' button within the Proxy tab there should be a 'Support HTTP/2' option within the Proxy listeners section that would need disabling. Please let us know if you require any screenshots to identify this. What version of Burp Professional are you running? The change to where the various settings are located were only introduced a few versions back so if you are running an older version then they will be located in the old style 'Project options' and 'User options' tab.

kairosdev | Last updated: Apr 14, 2023 09:23AM UTC

I'm trying with Community Edition 2023.1.2. Could you please send me the screenshots you're referring? Thanks.

Ben, PortSwigger Agent | Last updated: Apr 14, 2023 12:47PM UTC

Hi Kairos, Apologies, that slightly older version does not have that setting in place in the area that I suggested. If you open up the Proxy settings, navigate to the Proxy listeners section and then click the Edit button for the listener that you are using. Within the resulting dialog, are you able to navigate to the HTTP tab and then disable the 'Support HTTP/2' option here (we recently moved this setting so that it is editable directly in the proxy listener section in the later versions to make it more obvious to users). The following screenshot illustrates this setting in the version that you are using: https://snipboard.io/miYSVj.jpg If you could do this, alongside disabling the Network -> HTTP -> HTTP/2 -> Default to HTTP/2 if the server supports it option that you have already carried out and then try the lab again.

kairosdev | Last updated: Apr 19, 2023 06:49PM UTC

Hi, I've already done all you have told me and there's no way of passing the "Invalid CSRF token (session does not contain a CSRF token)". Could I send you a screenshot of my request?

Ben, PortSwigger Agent | Last updated: Apr 20, 2023 07:03AM UTC

Hi Kairos, Please feel to email us at support@portswigger.net and you can include your screenshots there.

Sharon | Last updated: Aug 27, 2023 01:02AM UTC

I am having the exact same issue. What was the final solution? I have already taken the steps provided here but it did not solve the issue.

Ben, PortSwigger Agent | Last updated: Aug 28, 2023 10:55AM UTC

Hi Sharon, Which particular part of the solution are you having issues with? Are you able to share some details?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.