Member-only story
Portswigger Labs, how to get the most out of it
or why looking up the solution underneath the lab isn’t cheating, it’s part of learning
Aside from the presumably well known tool for hackers wearing whatever hats, pentesters, IT sec folks, bug bounty hunters, and others, portswigger also offers excellent classes — for free. The practical mixed with theoretical, and labs where you can test out what you have learned, and even test out your own ideas which makes Web Security Academy at https://portswigger.net one of the best “one stop shop all” for knowledge that you can actually apply in the real world.
But, there is a minor issue, which could be there on purpose or I may be less smart than I think, and it’s not really a deal breaker, not at all, it’s a deal helper in a way. I’ll focus on the most recent research, you can read about it here: https://portswigger.net/research/browser-powered-desync-attacks, and the focus of this article will be Pause-based desync attack.
The Lab: Server-side pause-based request smuggling
How I approach these classes is through the available learning materials first, and for this lab the learning material is here: https://portswigger.net/web-security/request-smuggling/browser/pause-based-desync
Intro
Let’s make it simple. Here’s the screenshot of a burp repeater filled out as per the specs according to the learning material:
And then there is an explanation of how to configure/code the turbo intruder script. Here’s how it looks like according to the learning material, note the followUp related code:
The explanation about the followUp part seemed a bit confusing. Or at least to me it seemed a bit off. According to the learning material it’s arbitrary request, which I understood as being the desired request (even though there is GET /hopefully404 in initial request, which doesn’t have a host header…
