Identify a target endpoint
-
In Burp's browser, log in to the application using the credentials
wiener:peter
. -
Notice that the response contains your API key.
Investigate path delimiters used by the origin server
-
In Proxy > HTTP history, right-click the
GET /my-account
request and select Send to Repeater. -
Change the URL path to
/my-account/abc
, then send the request. Notice the404 Not Found
response. This indicates that the origin server doesn't abstract the path to/my-account
. -
Change the path to
/my-accountabc
, then send the request. Notice that this returns a404 Not Found
response with no evidence of caching. -
Right-click the message and select Send to Intruder.
-
Go to the Intruder tab. Make sure the Sniper attack type is selected and add a payload position after
/my-account
as follows:/my-account§§abc
. -
Go to the Payloads tab. Under Payload settings [Simple list], add a list of characters that may be used as delimiters.
-
Under Payload encoding, deselect URL-encode these characters.
-
Click Start attack. The attack runs in a new window.
-
When the attack finishes, sort the results by Status code. Notice that the
#
,?
,%23
, and%3f
characters receive a200
response with your API key. This indicates that they're used by the origin server as path delimiters. Ignore the#
character. It can't be used for an exploit as the victim's browser will use it as a delimiter before forwarding the request to the cache.
Investigate path delimiter discrepancies
-
Go to the Repeater tab that contains the
/my-accountabc
request. Add the?
character after/my-account
and add a static extension to the path. For example, update the path to/my-account?abc.js
. -
Send the request. Notice that the response doesn't contain evidence of caching. This either indicates that the cache also uses
?
as a path delimiter, or that the cache doesn't have a rule based on the.js
extension. -
Repeat this test using the
%23
and%3f
characters instead of?
. Notice that the responses don't show evidence of caching.
Investigate normalization discrepancies
-
Remove the query string and add an arbitrary directory followed by an encoded dot-segment to the start of the original path. For example,
/aaa/..%2fmy-account
. -
Send the request. Notice that this receives a
404
response. This indicates that the origin server doesn't decode or resolve the dot-segment to normalize the path to/my-account
. -
In Proxy > HTTP history, notice that static resources share the URL path directory prefix
/resources
. Notice that responses to requests with the/resources
prefix show evidence of caching. -
Right-click a request with the prefix
/resources
and select Send to Repeater. -
In Repeater, add an encoded dot-segment and arbitrary directory before the
/resources
prefix. For example,/aaa/..%2fresources/YOUR-RESOURCE
. -
Send the request. Notice that the
404
response contains theX-Cache: miss
header. -
Resend the request. Notice that the value of the
X-Cache
header updates tohit
. This may indicate that the cache decodes and resolves the dot-segment and has a cache rule based on the/resources
prefix. To confirm this, you'll need to conduct further testing. It's still possible that the response is being cached due to a different cache rule. -
Add an encoded dot-segment after the
/resources
path prefix as follows:/resources/..%2fYOUR-RESOURCE
. -
Send the request. Notice that the
404
response no longer contains evidence of caching. This indicates that the cache decodes and resolves the dot-segment and has a cache rule based on the/resources
prefix.
Craft an exploit
-
Go to the Repeater tab that contains the
/aaa/..%2fmy-account
request. Use the?
delimiter to attempt to construct an exploit as follows:/my-account?%2f%2e%2e%2fresources
-
Send the request. Notice that this receives a
200
response with your API key, but doesn't contain evidence of caching. -
Repeat this test using the
%23
and%3f
characters instead of?
. Notice that when you use the%23
character this receives a200
response with your API key and theX-Cache: miss
header. Resend and notice that this updates toX-Cache: hit
. You can use this delimiter for an exploit. -
In Burp's browser, click Go to exploit server.
-
In the Body section, craft an exploit that navigates the victim user
carlos
to a malicious URL. Make sure to add an arbitrary parameter as a cache buster:<script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account%23%2f%2e%2e%2fresources?wcd"</script>
-
Click Deliver exploit to victim.
-
Go to the URL that you delivered to
carlos
in your exploit:https://YOUR-LAB-ID.web-security-academy.net/my-account%23%2f%2e%2e%2fresources?wcd
-
Notice that the response includes the API key for the user
carlos
. Copy this. -
Click Submit solution, then submit the API key for
carlos
to solve the lab.