Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Web cache poisoning with multiple headers - How Do I Actually find these 2 headers to inject my arbitrary values?

majortom | Last updated: Jul 27, 2023 05:05PM UTC

I know from the hint the i need to use X-Forwarded-Host and X-Forwarded-Scheme headers but when i used Paraminer extension in Burp it only found x-Forwarded-Scheme header. I used default options : Extensions -> Param Miner -> Guess Params -> Guess Headers. So my question is: I am doing something wrong with the extension so that it didn't find the other X-Forwarded-Host ?

Liam, PortSwigger Agent | Last updated: Jul 31, 2023 07:51AM UTC

Hi majortom. Thanks for your message. We'll test the lab and solution internally and get back to you ASAP.

majortom | Last updated: Jul 31, 2023 01:42PM UTC

OK, waiting for info

Syed, PortSwigger Agent | Last updated: Jul 31, 2023 03:00PM UTC

Hi majortom, I appreciate your patience! After testing the labs, I can confirm that you are not doing anything wrong and that the extension is working as expected. So, how Param Miner works is that for a header to be detected at an endpoint, it must affect the response, and if you follow the lab steps, you'd see that the X-Forwarded-Host header does not affect that response. Hence, it is not detected by the extension. If you go ahead in the lab, you will see that at a certain point, the extension returns the X-Forwarded-Host header but not the X-Forwarded-Scheme header; that is because, on that request, the latter has no effect. And as the hint says, the lab supports both headers, but it doesn't have to be simultaneous. I hope that helps.

majortom | Last updated: Aug 07, 2023 04:06PM UTC

I see, so to sum up: I would have to use paraminer on at least 2 different resquest to detect those two different headers. They are not detected in the same request.

Syed, PortSwigger Agent | Last updated: Aug 08, 2023 07:14AM UTC

Exactly! The header must have an effect on the response, that's how Param Miner detects them. In this case, only one request does that at a time.

You need to Log in to post a reply. Or register here, for free.