Lab: URL normalization

PRACTITIONER

This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.

To solve the lab, take advantage of the cache's normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute alert(1) in the victim's browser. Then, deliver the malicious URL to the victim.

Access the lab

Solution

In Burp Repeater, browse to any non-existent path, such as GET /random. Notice that the path you requested is reflected in the error message.
Add a suitable reflected XSS payload to the request line:
GET /random</p><script>alert(1)</script><p>foo
Notice that if you request this URL in the browser, the payload doesn't execute because it is URL-encoded.
In Burp Repeater, poison the cache with your payload and then immediately load the URL in the browser. This time, the alert() is executed because the browser's encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.
Re-poison the cache then immediately go to the lab and click "Deliver link to victim". Submit your malicious URL. The lab will be solved when the victim visits the link.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Web cache poisoning Exploiting cache design flaws Exploiting cache implementation flaws

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: URL normalization

Solution

In this topic

All topics

Find web cache poisoning vulnerabilities using Burp Suite

Register for free to track your learning progress