Exploiting HTTP request smuggling to perform web cache poisoning (Video solution, Audio)

If you have trouble solving the lab, and keep running into 400 Bad Request responses, try changing the first Content-Length header to “Content-Length: 193”. The new format of the exploit server domains added 8 additional characters with the “exploit-“ prefix.

DaSchmed

I don't understand this lab at all. As an attacker, when I visit /post?postId=9, and click "next", i get redirected to /post/next?postId=9.

The first POST i send triggers an HTTP 200 and is smuggled with a GET /post/next?postId=9.

So then the "victim" (somehow?) visits the same page and clicks the same button, so the redirect happens to my exploit server. But my exploit server is only configured to respond to /post, not /post/next...

I solved it by repeating the attack a looot of times until I get a stable redirect. However: 1) no need to change the content-length from 185 to 193 for me - it's only needed if "Update Content-Length" is unchecked 2) no need to uncheck "Update Content-Length" in Repeater options (it is not mentioned in the official solution - it is done here only because the smuggling request and the GET ... tracking.js request are unified - but no need if you alternate between the two requests) 3) no need to change from application to text in the exploit server response header (it is not mentioned in the official solution either)

halfluke

Not sure which setting fixed it. Project options> check Javascript-driven and uncheck Enable HTTP/2

pinglocalhost

Anyone else having issues on this lab?
It looks like the exploit URL has changed and now looks like after sending request. I see it only show sometimes alert(document.cookie) or the little pixel gif in the top left corner. That is as far as I get. It doesn't show the different pages like in this video.

pinglocalhost

I get a alert(document.cookie) text and its loading from the exploit server, but I just see the text and not an pop up. I've been trying hard...

pietrodeveloper