1. Web Security Academy
  2. Request smuggling
  3. Browser-powered
  4. Client-side desync
  5. Lab

Lab: Browser cache poisoning via client-side desync

EXPERT

This lab is vulnerable to client-side desync attacks. You can exploit this to induce a victim's browser to poison its own cache.

To solve the lab:

  1. Identify a client-side desync vector in Burp, then confirm that you can trigger the desync from a browser.

  2. Identify a gadget that enables you to trigger an open redirect.

  3. Combine these to craft an exploit that causes the victim's browser to poison its cache with a malicious resource import that calls alert(document.cookie) from the context of the main lab domain.

Note

When testing your attack in the browser, make sure you clear your cached images and files between each attempt (Settings > Clear browsing data > Cached images and files).

This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here