In Burp Repeater, browse to any non-existent path, such as
GET /random. Notice that the path you requested is reflected in the error message.
Add a suitable reflected XSS payload to the request line:
- Notice that if you request this URL in the browser, the payload doesn't execute because it is URL-encoded.
In Burp Repeater, poison the cache with your payload and then immediately load the URL in the browser. This time, the
alert()is executed because the browser's encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.
- Re-poison the cache then immediately go to the lab and click "Deliver link to victim". Submit your malicious URL. The lab will be solved when the victim visits the link.
Lab: URL normalization
This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.
To solve the lab, take advantage of the cache's normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute
alert(1) in the victim's browser. Then, deliver the malicious URL to the victim.