Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Targeted web cache poisoning using an unknown header

kairosdev | Last updated: Mar 08, 2022 07:48PM UTC

Hey, I'm doing "Targeted web cache poisoning using an unknown header" lab. According to the point 3 on the Solutions you have to "With the Param Miner extension enabled, right-click on the request and select "Guess headers". After a while, Param Miner will report that there is a secret input in the form of the X-Host header." I'm trying but I can't see the secret input in the form of the X-Host header. I'm using Burp Suite Pro v2020.11.3 and Param Miner 1.4b. Any idea?

Ben, PortSwigger Agent | Last updated: Mar 09, 2022 09:58AM UTC

Hi Kairos, The Param Miner extension should be reporting its findings under the Extender -> Extensions -> Param Miner -> Output section within Burp (if you select the Param Miner extension in the 'Burp Extensions' table within 'Extensions' and then subsequently view the Output tab). Are you not seeing any information being displayed here when you have initiated an attack?

kairosdev | Last updated: Mar 09, 2022 01:19PM UTC

This is what I see in "Output" tab. Using albinowaxUtils v1.01 Loaded Param Miner v1.4b Updating active thread pool size to 8 Queued 1 attacks

Ben, PortSwigger Agent | Last updated: Mar 09, 2022 01:58PM UTC

Hi Kairos, Apologies, I have just noticed the version of Burp that you mentioned that you were using in your initial message. Param Miner will have been updated to work with the later versions of Burp and there is likely to be compatibility issues using it with the older version of Burp - obviously, the 2020.11.3 release is quite old now. What you should be able to do, if you absolutely have to use the older version of Burp, is to obtain the Parm Miner 1.27 Jar file (from here - https://github.com/PortSwigger/param-miner/releases) and then install it manually via the Extender -> Extensions -> Add button. This should then work with Burp 2020.11.3. We would, however, always recommend updating the version of Burp that you are using.

kairosdev | Last updated: Mar 09, 2022 07:35PM UTC

Thanks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.