Burp Suite User Forum

Create new post

Web Cache Poisoning Lab Hanging Response

Lewis | Last updated: Apr 27, 2023 02:47PM UTC

I'm currently attempting the following lab: Lab: Targeted web cache poisoning using an unknown header The steps I have currently done: 1. Intercepted a GET / HTTP/1.1 request to the lab URL 2. Sent the intercepted request to Burp Suite Repeater 3. Verified the target page can be cached 4. Run the Param Miner extension to discover the request headers that are not keyed 5. Discovered X-Host is not keyed 6. Added the X-Host header with a dummy URL mysite.xyz in the repeater 7. Pressed send! After step 7, the server response just hangs and Burp Suite displays "Waiting" in the bottom left. Even if I press "Cancel", remove the X-Host header, and attempt a normal request, it will still hang. At one point, the lab URL displayed a 504 Server Error. All requests in Burp Suite to the URL work perfectly fine until I add the X-Host header. I thought I may have just been doing something wrong, but I checked the community solution video and they have done everything that I have - the only difference being they don't have a hung response when sending along the X-Host header.

Lewis | Last updated: Apr 27, 2023 03:00PM UTC

Note: My current lab is at https://0a98005e0386d13f823c6031008900a9.h1-web-security-academy.net/ and is giving the following response both in Burp Suite and in all browsers: Server Error: Gateway Timeout (0) connecting to 0a98005e0386d13f823c6031008900a9.h1-web-security-academy.net

Ben, PortSwigger Agent | Last updated: Apr 27, 2023 04:32PM UTC

Hi Lewis, Are you able to provide us with a screenshot of the request that you are trying to send (after you have added the X-Host header)? If it is easier to do this via email (you cannot attach screenshots directly to forum posts) then please feel free to send this to support@portswigger.net and we can take a look from there. In terms of the gateway error - each lab instance will expire after a certain period of time (around 10 minutes of inactivity) and you would need to obtain a fresh instance by launching the lab again. Is this the likely situation that you have experienced?

Lewis | Last updated: Apr 28, 2023 10:04AM UTC

Below is the request: GET /?c=1 HTTP/1.1 Host: 0aed007903f20511803d08aa0021007b.h1-web-security-academy.net Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close X-Host: mysite.xyz Regarding the timeout error, that is most likely what happened then. Thanks for the clarification.

Ben, PortSwigger Agent | Last updated: May 01, 2023 07:39AM UTC

Hi Lewis, It is difficult to tell how you have laid out your request in text format (hence why I asked for a screenshot) but do you have two blank lines at the end of your request to signify the requisite trailing sequence \r\n\r\n?

Brian | Last updated: May 23, 2023 02:49AM UTC

I am also facing the same issue: GET /resources/js/tracking.js HTTP/1.1 Host: 0aa3004604eb3c7487a0ba8c00ab003c.h1-web-security-academy.net Cookie: session=HDLxwXiXgxgHOFqlGuifNSY8i43vr9r1 Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://0aa3004604eb3c7487a0ba8c00ab003c.h1-web-security-academy.net/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close X-Host: Example.com

Michelle, PortSwigger Agent | Last updated: May 23, 2023 03:08PM UTC

Hi When you are editing your request in Repeater, if you click on the \n button to 'Show non-printable characters', do you see \r\n twice at the end of the request?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.