Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)
The solution for Lab: Exploiting HTTP request smuggling to perform web cache deception is INCORRECT.
The Lab appears to be updated and is not using the /apiKey function anymore. Instead it is replaced with /my-account which has an update email address function /my-account/change-email.
I have tried the original solution, and changed the /apiKey with /my-account.
I have also tried using a double carriage-return after the X-Ignore: X, which produces some interesting results. However, I cannot for the life of me solve the updated solution.
Please help or update the Solution appropriately.
I used the following with no success for ages.
POST / HTTP/1.1
GET /my-account HTTP/1.1
I then added 3 additional CRLF after the X-Ignore: X and submitted several times. This definitely caused the request to be smuggled and caused some interesting results. I then reverted back to the above request and submitted several times in Repeater.
It was the Repeater results in the Burp Search for "POST /" that eventually returned the API Key....wierd!
Other people have reported that refreshing the /login page might work and return the results in the /resources/css/labs.css although that did not work for me.
Thank you for your message.
You are correct. We have recently changed some of the Web Academy infrastructure and the solutions are slightly out of sync with the changes that have been made. We are working hard to provide updates to the listed solutions but this will take some time.
I was able to complete the lab by changing the smuggled GET request to use my-account instead of apiKey so that should work.
It is also worth noting that the solutions provided are only one way of completing the labs so you should feel free to experiment with other approaches to see if they also work.