New lab: Exploiting HTTP request smuggling to capture other users' requests
Hi and sorry for bothering again.
I am not able to complete the lab in the subject after following the lab solution.
As far as I understand, there should be "another user" accessing the blog comments page, whose session cookie should be captured thank you to my previous "smuggled" request.
I wait for several minutes, but when I refresh the page, the only credentials that are captured are mine. I send my smuggled request only once, and not twice as in the other exercises, as I understand that the second request is the one from the other user "bot".
Is this correct?
Thank you in advance,
Thanks for letting us know Luca.
I cannot find a way to get an API key different from the one that is already accessible with the given user - and that key is not accepted as solution for the lab.
I'm not entirely sure which key I should suppose to retrieve, another bot?
Can you please help me on this last lab?