Identify a target endpoint
-
In Burp's browser, log in to the application using the credentials
wiener:peter
. -
Notice that the response contains your API key.
Identify path delimiters used by the origin server
-
In Proxy > HTTP history, right-click the
GET /my-account
request and select Send to Repeater. -
Go to the Repeater tab. Add an arbitrary segment to the path. For example, change the path to
/my-account/abc
. -
Send the request. Notice the
404 Not Found
response with no evidence of caching. This indicates that the origin server doesn't abstract the path to/my-account
. -
Remove the arbitrary segment and add an arbitrary string to the original path. For example, change the path to
/my-accountabc
. -
Send the request. Notice the
404 Not Found
response with no evidence that the response was cached. You'll use this response as a reference to help you identify characters that aren't used as delimiters. -
Right-click the request and select Send to Intruder.
-
Go to the Intruder tab. Make sure the Sniper attack type is selected and add a payload position after
/my-account
as follows:/my-account§§abc
. -
Go to the Payloads tab. Under Payload settings [Simple list], add a list of characters that may be used as delimiters.
-
Under Payload encoding, deselect URL-encode these characters.
-
Click Start attack. The attack runs in a new window.
-
When the attack finishes, sort the results by Status code. Notice that the
;
and?
characters receive a200
response with your API key. All other characters receive the404 Not Found
response. This indicates that the origin server uses;
and?
as path delimiters.
Investigate path delimiter discrepancies
-
Go to the Repeater tab that contains the
/my-accountabc
request. -
Add the
?
character after/my-account
and add a static file extension to the path. For example, update the path to/my-account?abc.js
. -
Send the request. Notice that the response doesn't contain evidence of caching. This may indicate that the cache also uses
?
as a path delimiter. -
Repeat this test using the
;
character instead of?
. Notice that the response contains theX-Cache: miss
header. -
Resend the request. Notice that the value of the
X-Cache
header changes tohit
. This indicates that the cache doesn't use;
as a path delimiter and has a cache rule based on the.js
static extension. You can use this payload for an exploit.
Craft an exploit
-
In Burp's browser, click Go to exploit server.
-
In the Body section, craft an exploit that navigates the victim user
carlos
to the malicious URL you crafted earlier. Make sure to change the arbitrary string, so the cache creates a unique key andcarlos
caches their account details instead of receiving your previously cached response:<script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account;wcd.js"</script>
-
Click Deliver exploit to victim. When the victim views the exploit, the response they receive is stored in the cache.
-
Go to the URL that you delivered to
carlos
:https://YOUR-LAB-ID.web-security-academy.net/my-account;wcd.js
-
Notice that the response includes the API key for
carlos
. Copy this. -
Click Submit solution, then submit the API key for
carlos
to solve the lab.