25.9 Lab: URL normalization in Web Cache Poisioning

This lab contain s an XSS vulnerability that is not directly exploitable due to browser URL-encoding. To solve the lab, take advantagee of the cache’s normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute alert(1) in the victim’s browser. Then, deliver the malicious URL to the victim | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 28, 2024

Description

This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.

To solve the lab, take advantage of the cache’s normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute alert(1) in the victim's browser. Then, deliver the malicious URL to the victim.

Solution

  1. In Burp Repeater, browse to any non-existent path, such as GET /random. Notice that the path you requested is reflected in the error message.
  2. Add a suitable reflected XSS payload to the request line:
    GET /test<script>alert(1)</script>
  3. Notice that if you request this URL in the browser, the payload doesn’t execute because it is URL-encoded.
  4. In Burp Repeater, poison the cache with your payload and then immediately load the URL in the browser. This time, the alert() is executed because the browser's encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.
  5. Re-poison the cache then immediately go to the lab and click “Deliver link to victim”. Submit your malicious URL. The lab will be solved when the victim visits the link.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer