1. Web Security Academy
  2. Request smuggling
  3. Browser-powered
  4. Client-side desync
  5. Lab

Lab: Client-side desync


This lab is vulnerable to client-side desync attacks because the server ignores the Content-Length header on requests to some endpoints. You can exploit this to induce a victim's browser to disclose its session cookie.

To solve the lab:

  1. Identify a client-side desync vector in Burp, then confirm that you can replicate this in your browser.

  2. Identify a gadget that enables you to store text data within the application.

  3. Combine these to craft an exploit that causes the victim's browser to issue a series of cross-domain requests that leak their session cookie.

  4. Use the stolen cookie to access the victim's account.

This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here