Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web cache poisoning with multiple headers - How Do I Actually find these 2 headers to inject my arbitrary values?

majortom | Last updated: Jul 27, 2023 05:05PM UTC

I know from the hint the i need to use X-Forwarded-Host and X-Forwarded-Scheme headers but when i used Paraminer extension in Burp it only found x-Forwarded-Scheme header. I used default options : Extensions -> Param Miner -> Guess Params -> Guess Headers. So my question is: I am doing something wrong with the extension so that it didn't find the other X-Forwarded-Host ?

Liam, PortSwigger Agent | Last updated: Jul 31, 2023 07:51AM UTC

Hi majortom. Thanks for your message. We'll test the lab and solution internally and get back to you ASAP.

majortom | Last updated: Jul 31, 2023 01:42PM UTC

OK, waiting for info

Syed, PortSwigger Agent | Last updated: Jul 31, 2023 03:00PM UTC

Hi majortom, I appreciate your patience! After testing the labs, I can confirm that you are not doing anything wrong and that the extension is working as expected. So, how Param Miner works is that for a header to be detected at an endpoint, it must affect the response, and if you follow the lab steps, you'd see that the X-Forwarded-Host header does not affect that response. Hence, it is not detected by the extension. If you go ahead in the lab, you will see that at a certain point, the extension returns the X-Forwarded-Host header but not the X-Forwarded-Scheme header; that is because, on that request, the latter has no effect. And as the hint says, the lab supports both headers, but it doesn't have to be simultaneous. I hope that helps.

majortom | Last updated: Aug 07, 2023 04:06PM UTC

I see, so to sum up: I would have to use paraminer on at least 2 different resquest to detect those two different headers. They are not detected in the same request.

Syed, PortSwigger Agent | Last updated: Aug 08, 2023 07:14AM UTC

Exactly! The header must have an effect on the response, that's how Param Miner detects them. In this case, only one request does that at a time.

AJ | Last updated: Jan 07, 2024 02:48AM UTC

I have the same question on the "Password reset poisoning via middleware" lab, Param Miner didn't detect the X-Forwarded-Host header at the endpoint that supports it (I eventually solved the lab and know that the header works). I did notice that there was no discernable difference in the response with or without the header, so is that header meant to be found through just trial and error?

Syed, PortSwigger Agent | Last updated: Jan 08, 2024 04:11PM UTC

It's more like you need to be on the right page for Param Miner to find the header.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.