Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

Andrew Nov 26, 2019 06:57AM UTC

The solution for Lab: Exploiting HTTP request smuggling to perform web cache deception is INCORRECT.

The Lab appears to be updated and is not using the /apiKey function anymore. Instead it is replaced with /my-account which has an update email address function /my-account/change-email.

I have tried the original solution, and changed the /apiKey with /my-account.
I have also tried using a double carriage-return after the X-Ignore: X, which produces some interesting results. However, I cannot for the life of me solve the updated solution.

Please help or update the Solution appropriately.


Andrew Nov 26, 2019 07:06AM UTC
Also, not sure if this is an issue, the GET /academyLabHeader HTTP/1.1 is returning a HTTP/1.1 404 Not Found

Andrew Nov 26, 2019 07:49AM UTC
OK - I finally solved, but I am not sure it is the "intended" way.

I used the following with no success for ages.

POST / HTTP/1.1
Host: xxx-your-lab-id-xxx.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Transfer-Encoding: chunked

0

GET /my-account HTTP/1.1
X-Ignore: X

I then added 3 additional CRLF after the X-Ignore: X and submitted several times. This definitely caused the request to be smuggled and caused some interesting results. I then reverted back to the above request and submitted several times in Repeater.

It was the Repeater results in the Burp Search for "POST /" that eventually returned the API Key....wierd!

Other people have reported that refreshing the /login page might work and return the results in the /resources/css/labs.css although that did not work for me.

Ben Wright Nov 26, 2019 10:26AM UTC Support Center agent

Hi Andrew,

Thank you for your message.

You are correct. We have recently changed some of the Web Academy infrastructure and the solutions are slightly out of sync with the changes that have been made. We are working hard to provide updates to the listed solutions but this will take some time.

I was able to complete the lab by changing the smuggled GET request to use my-account instead of apiKey so that should work.

It is also worth noting that the solutions provided are only one way of completing the labs so you should feel free to experiment with other approaches to see if they also work.


Post Your public answer

Your name
Your email address
Answer