Lab: Exploiting HTTP request smuggling to capture other users' requests
After starting the exercise, the blog should look similar to the following illustration.
Now let's take a look at any blog entry and add a comment. To do this, we fill in all the fields in the comment form and submit it by clicking on Post comment.
Now we open Burp Proxy and the HTTP history tab. In the HTTP history, we search for the request POST /post/comment and send this request to the Burp Repeater using the key combination CTRL + R.
In Burp Repeater, we change the order of the body parameters so that the comment parameter is at the end.
We now send the request to the application to ensure that it still works and see that another comment has been added.
In Burp Proxy, we search for the request GET / HTTP/1.1 and send it to Burp Repeater using the key combination CTRL + R.
In Burp Repeater, we now have the request that adds an entry to a blog post and the first request to the blog after the application was opened.
The first request to the application.
The request that adds a comment to a blog entry (with the changed order of the parameters in the body).
We make the following changes to the first request: We change the HTTP method from GET to POST. To do this, right-click on the request -> select Change request method and remove all headers except Content-Length, Content-Type and Host. At the end of the request, we add the header Transfer-Encoding with the value chunked.
We will now modify the request to add a comment. First, we will change the HTTP version from 2 to 1.1. To do this, we can use the Inspector in Burp Repeater.
Next, we remove all headers except Content-Type, Content-Length and Cookie. All parameters in the body also remain in the request. We initially set the value of the Content-Length header to 400. The request should now look like this.
We now insert the second request into the first request and make sure that a 0 is inserted. Otherwise, the attack will not work. The request should look like this.
We now send the request to the application. When we receive an HTTP/1.1 200 OK response, we switch to our browser to check the comments. We see that we have received a response in the comment field.
Since we want to extract the user's cookie, we need to increase the value in our Content-Length header slightly. We now enter 450 instead of 400 as the value and send the request again. When we receive another HTTP/1.1 200 OK response in Burp Repeater, we switch to the browser and check the comment field. Now we can see part of the cookie. The problem is that it is our own cookie. That doesn't help us much.
We now increase the value of the Content-Length header to 900 and send the request again. If we receive another HTTP/1.1 200 OK response in Burp Repeater, we switch to the browser and check the comment field. There we now see a different request and part of a Secret header. It may be necessary to send several requests to see the header in the comment field.
In this example, the value 970 of the Content-Length header was sufficient to extract the two headers Secret and Session. In your example, it may be a value other than 970. In addition, several attempts must be made to display the other user's request. You should send a request, switch to the browser and refresh the web page. Check the comment field and if only your own request is visible, go back to Burp Repeater and start again.
Now we copy the value of the Session (Jm7UBUkLoYe4rxmmendqhPEqFlKnPdXS) header and click on the My account link.
In the login form, we enter carlos as the username and 123456 as the password. Before clicking Log in, we first switch to Burp Proxy and activate the Intercept off button.
Now we click on Log in and see the request in Burp Proxy. There, we replace the value of session in the Cookie header with the value we copied from the comment field and forward the request.
In the browser, we refresh the tab and will likely see a message: CSRF token is invalid. We then refresh the browser again and have successfully completed the exercise.
Video solution
Last updated