Time for another one of the advanced labs on the PortSwigger Web Security Academy. For this lab, we are dealing with an HTTP/2 downgrade attack that allows the attacker to smuggle a request to the backend. Due to how the…

This lab is a bit similar to the last, however, it has a completely different purpose. In the previous, we poisoned the cache in an attempt to trigger an XSS. In this lab, we are looking at poisoning a cache…

This lab is a lot of fun and requires chaining together techniques to fully exploit. First, we have to identify if, where, and how the application is vulnerable to a smuggling attack. Once that has been established, we need to…

This next lab represents an interesting vulnerability where specific paths/routes within an application are vulnerable to desync when there is no expectation of anything other than the intended HTTP verb ever showing as part of a request. These are very…

In the previous post, we looked at an HTTP/2 downgrade attack where we injected CRLF characters into a header and that allowed us to smuggle the Transfer-Encoding header through the H2 frontend. If the Transfer-Encoding header was provided as a…