Lab: URL normalization
This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.
To solve the lab, take advantage of the cache's normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute
alert(1) in the victim's browser. Then, deliver the malicious URL to the victim.
In Burp Repeater, browse to any non-existent path, such as
GET /random. Notice that the path you requested is reflected in the error message.
Add a suitable reflected XSS payload to the request line:
- Notice that if you request this URL in your browser, the payload doesn't execute because it is URL-encoded.
In Burp Repeater, poison the cache with your payload and then immediately load the URL in your browser. This time, the
alert()is executed because your browser's encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.
- Re-poison the cache then immediately go to the lab and click "Deliver link to victim". Submit your malicious URL. The lab will be solved when the victim visits the link.