URL normalisation

Description

This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding.

Reproduction

  1. In Burp Repeater, browse to any non-existent path, such as GET /random. The path requested is reflected in the error message.

  2. Add a suitable reflected XSS payload to the request line:

GET /random</p><script>alert(1)</script><p>foo

  1. Requesting this URL in the browser, the payload does not execute because it is URL-encoded.

  2. In Burp Repeater, poison the cache with the payload and then immediately load the URL in the browser. This time, the alert() is executed because the browser’s encoded payload was URL-decoded by the cache, causing a cache hit with the earlier request.

  3. Re-poison the cache then immediately go to the lab and click “Deliver link to victim”. Submit the malicious URL. The lab will be solved when the victim visits the link.

PoC

Exploitability

An attacker will need to find the XSS vulnerability, poison the cache to inject a payload that will execute alert(1) in the victim’s browser; and then deliver the malicious URL to the victim.