Burp Suite User Forum

Login to post

Problem with solving two labs

BK | Last updated: Aug 31, 2020 06:20PM UTC

Hi Everyone, I am stuck with last two labs, I am not able to solve them 1. Exploiting HTTP request smuggling to capture other users' requests Problem:Not able to login after retrieving cookie. I can see users cookie header but it has three parts, victim fingerprint(32 characters), secret(32 character) and session(only 29 characters). I believe even session is 32 characters but not able to retrieve as nothing is updating if i increase content length from here. But if this is correct I am getting csrf not present error while login. I tried changing csrf to one used during attact and keeping as it is both. Also i tried submitting cookie parts individually all times error. 2. Combining web cache poisoning vulnerabilities Problem: This lab is a frustration for me. I am not able to move even a step further as repeater doesn't complete when sent whenever I use X-Forwareded-Host or cache buster on both home page or /?localized=1 page. Param Miner works but only gives X-Forwareded-Host in results no other header. I know there is something wrong I might be doing, but not able to figure out??

BK | Last updated: Sep 01, 2020 05:53AM UTC

Update! Finally solved the HTTP request smuggling to capture other users' requests. I was definitely stupid with it. Problem was with content length as I had jumped a bit further than actually required. Now, left with the combined cache poisoning not understanding what is going wrong?

Hannah, PortSwigger Agent | Last updated: Sep 01, 2020 07:53AM UTC

Have you tried following along with the solution, and tried copy-pasting the header names (using X-Forwarded-Host rather than X-Forwareded-Host)? You could also try following along with a video solution.

BK | Last updated: Sep 02, 2020 12:49PM UTC

Hi Hannah It's X-Forwarded-Host as you mentioned. Forwareded was just a typo while writing it here. Even when I copy and paste it, I hit the same dead end with repeater, I won't receive anything back, it just sits there in send mode. This issue only happens when I edit the original i.e add a cache buster or header but if I send the Get request as usual without editing I get 200 ok. I will try the lab again tomorrow and let you know with any updates. Thank You

Hannah, PortSwigger Agent | Last updated: Sep 02, 2020 12:58PM UTC

A common issue with Web Cache Poisoning labs is users sometimes forget to disable the automatically added cache busters in Param Miner after enabling them - so it might be worth checking you don't have any of them enabled when you're trying to solve the lab.

BK | Last updated: Sep 06, 2020 05:01AM UTC

Thank You Hannah I have solved the lab now. Problem was not in param miner or burp it was actually a tiny execution mistake from my side, thanks to a twitter friend who pointed it to me. Note: To those who are not able to solve this lab even after following all instructions correctly, go back into previous basic web cache labs and remember how everything works apart from just instructions. My focus was only on this lab and forgot the web cache as whole and my execution was flawed. So, give attention to tiny details it will be smooth.

Hannah, PortSwigger Agent | Last updated: Sep 07, 2020 07:00AM UTC

Glad to hear you completed it! Enjoy the rest of the labs.

You need to Log in to post a reply. Or register here, for free.