Burp Suite User Forum

Create new post

Unable to filter X-Forwarded-Host with Param Miner Burpsuite Professional v2024.5.5, Lab: Password reset poisoning via middleware

Ana | Last updated: Jul 09, 2024 11:08AM UTC

Hello I have attempted this lab: Password reset poisoning via middleware, and run Param Miner on this request, choosing the "Guess Headers". I have tried this thrice, but I still could not get the X-Forwarded-Host even if I choose "Guess Everything" POST /forgot-password HTTP/2 Host: 0a39009804c89ab28091da0d004800b9.web-security-academy.net Cookie: session=TL24sGkVKVATQxFehNgT5nyBGOlYvN1A Content-Length: 15 Cache-Control: max-age=0 Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US Upgrade-Insecure-Requests: 1 Origin: https://0a39009804c89ab28091da0d004800b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a39009804c89ab28091da0d004800b9.web-security-academy.net/forgot-password Accept-Encoding: gzip, deflate, br Priority: u=0, i username=wiener Log of Param Miner Using albinowaxUtils v1.03 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded Param Miner v1.4f Updating active thread pool size to 10 Queued 1 attacks Setting bucketSize to 32 due to slow response Initiating header bruteforce on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Resuming header bruteforce at -1 on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Resuming header bruteforce at -1 on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Resuming header bruteforce at -1 on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Resuming header bruteforce at -1 on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Resuming header bruteforce at -1 on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Completed attack on 0a39009804c89ab28091da0d004800b9.web-security-academy.net Completed 6/6

Ben, PortSwigger Agent | Last updated: Jul 10, 2024 11:28AM UTC

Hi Ana, I believe this lab is designed for you to perform manual exploration in order to determine what headers are supported.

Ana | Last updated: Jul 10, 2024 12:18PM UTC

Hello, yes I am aware it is a manual exploration, however, I believe you need to use param miner to see if there are any headers / parameters that can be used to help you bypass something. If param miner can't be used, then could you help me provide another solution, on how can I know or figure out that it is possible to use X-Forwarded-Host based on the solution given.

Ana | Last updated: Jul 10, 2024 12:23PM UTC

Would it be possible for you to try the lab as well, Password reset poisoning via middleware , with the Burp Suite Pro v2024.5.5 without using Param Miner. I am curious to know what is the other method that helps to confirm that "X-Forwarded-Host" can be use for this lab if Param Miner can't be used? I am so sorry for asking a lot because I would like to take the exam; however, I am unsure whether it is possible for me to process as I feel like there is something wrong with Param miner v1.4f, or could your recommend another tool that helps to detect headers as well

Ana | Last updated: Jul 10, 2024 12:26PM UTC

I also have tried to look at community solution and youtube videos, they all use Param Miner to detect the header. If you could not help me check if there is something wrong with it, could you help to suggest another solution on how to find the headers without using it. Thank you so much

Ben, PortSwigger Agent | Last updated: Jul 10, 2024 09:57PM UTC

Hi Ana, Apologies for the brevity in my initial response. We have responded to your email about this lab but to also confirm here - In order to detect headers, Param Miner relies on the requests that are being sent by the extension affecting the response that is returned. In this particular lab this does not occur so the requisite header is not identified, hence why using Param Miner is not mentioned in the written solution and why there is the need for some manual exploration.

Ana | Last updated: Jul 11, 2024 12:05AM UTC

Oh so it is more of like a trial and error with the headers? Like you inject that X-Forwarded-Host yourself? It is alright, appreciate the response

Ben, PortSwigger Agent | Last updated: Jul 11, 2024 07:36AM UTC

Hi Ana, Exactly that. Sometimes there is some trial and error (or manual exploration) involved when the automated tools are unable to identify areas of interest. There are some useful thought processes, in terms of how the trial and error/manual exploration in conducted, for this particular lab in the write-up below that you might find useful: https://github.com/frank-leitner/portswigger-websecurity-academy/blob/main/02-authentication/Password_reset_poisoning_via_middleware/README.md

Ana | Last updated: Jul 11, 2024 11:43PM UTC

Hi Ben, thank you so much it is fully clear to me that Param Miner does not work all the time :) I appreciate your response and the link provided. We could close this issue

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.