New lab: Exploiting HTTP request smuggling to capture other users' requests
Hi and sorry for bothering again.
I am not able to complete the lab in the subject after following the lab solution.
As far as I understand, there should be "another user" accessing the blog comments page, whose session cookie should be captured thank you to my previous "smuggled" request.
I wait for several minutes, but when I refresh the page, the only credentials that are captured are mine. I send my smuggled request only once, and not twice as in the other exercises, as I understand that the second request is the one from the other user "bot".
Is this correct?
Thank you in advance,
Thanks for letting us know Luca.
I cannot find a way to get an API key different from the one that is already accessible with the given user - and that key is not accepted as solution for the lab.
I'm not entirely sure which key I should suppose to retrieve, another bot?
Can you please help me on this last lab?
I had a lot more problems solving the "Exploiting HTTP request smuggling to capture other users' requests" lab and only figured out what I was doing wrong after 3-4 days of trying.
Now how do I check the static resources? I tried to use Chrome Inspect tool and check the resources folder but they just look the same every time. Is that the right way to check the .js static resources?
Do I have to be logged in as carlos when I refresh the home page in incognito browser?
Waiting for a step by step guide from some kind soul...
The resource that gives the victim api key is:
/resources/css/labs.css (tested 3 times)
which is only loaded when we load the page
- send the solution to repeater: exactly as it is, with content-length 38, several times. It doesn't matter whether or not you are logged in as carlos
- in an incognito window, reload the page https://your_id.web-security-academy.net/login
If the api key of the victim is not present, rinse and repeat.
The solution for the lab doesn't mention the /login page, which is the main source of confusion in my opinion. If you load and refresh the home page only in incognito mode, /resources/css/labs.css is never loaded.
Two months spent on this...
(Also not sure why we do not need a double new line at the end of the evil request, as opposed to other labs - and the hint to manually fix the content length doesn't apply here - Overall a complex topic not easy to exploit in an ad hoc lab, let alone in real world, imho)
I am referring to the initial lab mentioned in this post "Exploiting HTTP request smuggling to capture other users' requests"
The Lab appears to be updated and is not using the /apiKey function anymore. Instead it is replaced with /my-account which has an update email address function /my-account/change-email.
I have tried the original solution, and changed the /apiKey with /my-account.
I have also tried using a double carriage-return after the X-Ignore: X, which produces some interesting results. However, I cannot for the life of me solve the updated solution.
Please help or update the Solution appropriately.