Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: URL normalization

PRACTITIONER

This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.

To solve the lab, take advantage of the cache's normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute alert(1) in the victim's browser. Then, deliver the malicious URL to the victim.

ACCESS THE LAB

Solution

  1. In Burp Repeater, browse to any non-existent path, such as GET /random. Notice that the path you requested is reflected in the error message.

  2. Add a suitable reflected XSS payload to the request line:

    GET /random</p><script>alert(1)</script><p>foo
  3. Notice that if you request this URL in the browser, the payload doesn't execute because it is URL-encoded.
  4. In Burp Repeater, poison the cache with your payload and then immediately load the URL in the browser. This time, the alert() is executed because the browser's encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.
  5. Re-poison the cache then immediately go to the lab and click "Deliver link to victim". Submit your malicious URL. The lab will be solved when the victim visits the link.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find web cache poisoning vulnerabilities using Burp Suite

Try for free