Identify a target endpoint
-
In Burp's browser, log in to the application using the credentials
wiener:peter
. -
Notice that the response contains your API key.
Investigate path delimiter discrepancies
-
In Proxy > HTTP history, right-click the
GET /my-account
request and select Send to Repeater. -
Go to the Repeater tab. Change the path to
/my-account/abc
, then send the request. Notice the404 Not Found
response. This indicates that the origin server doesn't abstract the path to/my-account
. -
Change the path to
/my-accountabc
, then send the request. Notice that this returns a404 Not Found
response with no evidence of caching. -
Right-click the message and select Send to Intruder.
-
Go to the Intruder tab. Make sure the Sniper attack type is selected and add a payload position after
/my-account
as follows:/my-account§§abc
. -
Go to the Payloads tab. Under Payload settings [Simple list], add a list of characters that may be used as delimiters. Under Payload encoding, deselect URL-encode these characters.
-
Click Start attack. The attack runs in a new window.
-
When the attack finishes, sort the results by Status code. Notice that only the
?
character receives a200
response with your API key. This indicates that the origin server only uses?
as a path delimiter. As?
is generally universally used as a path delimiter, move on to investigate normalization discrepancies.
Investigate normalization discrepancies
-
In Repeater, remove the arbitrary
abc
string and add an arbitrary directory followed by an encoded dot-segment to the start of the original path. For example,/aaa/..%2fmy-account
. -
Send the request. Notice that this receives a
200
response with your API key. This indicates that the origin server decodes and resolves the dot-segment, interpreting the URL path as/my-account
. -
In Proxy > HTTP history, notice that the paths for static resources all start with the directory prefix
/resources
. Notice that responses to requests with the/resources
prefix show evidence of caching. -
Right-click a request with the prefix
/resources
and select Send to Repeater. -
In Repeater, add an encoded dot-segment after the
/resources
path prefix, such as/resources/..%2fYOUR-RESOURCE
. -
Send the request. Notice that the
404
response contains theX-Cache: miss
header. -
Resend the request. Notice that the value of the
X-Cache
header changes tohit
. This may indicate that the cache doesn't decode or resolve the dot-segment and has a cache rule based on the/resources
prefix. To confirm this, you'll need to conduct further testing. It's still possible that the response is being cached due to a different cache rule. -
Modify the URL path after
/resources
to a arbitrary string as follows:/resources/aaa
. Send the request. Notice that the404
response contains theX-Cache: miss
header. -
Resend the request. Notice that the value of the
X-Cache
header changes tohit
. This confirms that there is a static directory cache rule based on the/resources
prefix.
Craft an exploit
-
Go to the Repeater tab that contains the
/aaa/..%2fmy-account
request. Attempt to construct an exploit as follows:/resources/..%2fmy-account
. Send the request. Notice that this receives a200
response with your API key and theX-Cache: miss
header. -
Resend the request and notice that the value of the
X-Cache
header updates tohit
. -
In Burp's browser, click Go to exploit server.
-
In the Body section, craft an exploit that navigates the victim user
carlos
to a malicious URL. Make sure to add an arbitrary parameter as a cache buster, so the victim doesn't receive your previously cached response:<script>document.location="https://YOUR-LAB-ID.web-security-academy.net/resources/..%2fmy-account?wcd"</script>
-
Click Deliver exploit to victim. When the victim views the exploit, the response they receive is stored in the cache.
-
Go to the URL that you delivered to
carlos
in your exploit:https://YOUR-LAB-ID.web-security-academy.net/resources/..%2fmy-account?wcd
-
Notice that the response includes the API key for the user
carlos
. Copy this. -
Click Submit solution, then submit the API key for
carlos
to solve the lab.