After this lesson, you will be able to: Test advanced web vulnerabilities professionally with Burp: HTTP request smuggling, WebSocket security, OAuth 2.0 attacks, CORS misconfigurations, and prototype pollution.
This lesson covers the advanced vulnerability classes that distinguish a senior tester, each with a PortSwigger lab: request smuggling, WebSocket attacks, OAuth flaws, CORS misconfigurations, and prototype pollution.
When a front-end and back-end server disagree on where one request ends and the next begins, an attacker can smuggle a request. HTTP/1.1 frames request bodies with Content-Length or Transfer-Encoding; if the two servers prioritize different headers, a CL.TE or TE.CL desync lets part of the attacker's input be treated as the start of another user's request. The HTTP Request Smuggler extension automates detection and exploitation. Impact ranges from cache poisoning to credential theft.
WebSockets give a persistent two-way connection after an HTTP upgrade handshake. Burp intercepts WebSocket messages in the WebSockets history, so you can modify them like HTTP. Test for injection in WebSocket messages and for cross-site WebSocket hijacking (CSWSH), where a malicious page opens a WebSocket to the target using the victim's cookies because the handshake was not CSRF-protected.
OAuth flows have several classic flaws: authorization code interception, CSRF on the OAuth flow when the state parameter is missing or unvalidated, open-redirect chaining via the redirect_uri, and account takeover by misusing state. Test the flow in Burp by following each redirect and tampering with parameters. Separately, CORS misconfigurations: an overly permissive Access-Control-Allow-Origin (especially reflecting the Origin with credentials allowed) lets a malicious site read authenticated responses. Burp shows the CORS headers so you can spot a policy that trusts arbitrary origins.
In JavaScript, polluting Object.prototype with attacker-controlled keys can change application behavior or escalate to XSS or RCE. Client-side prototype pollution comes from unsafe merging of URL or input data into objects; server-side from unsafe handling in Node. Param Miner can fuzz for the gadget properties. It is a modern, high-impact class worth recognizing in any JavaScript-heavy app.
Use PortSwigger labs for each class.
1. Choose one class (request smuggling is a good stretch) and complete its PortSwigger lab.
2. Install the relevant extension (HTTP Request Smuggler, or Param Miner for prototype pollution).
3. Work through detection, then exploitation, reading the response signals at each step.
4. Then complete at least one CORS and one OAuth lab to see the breadth.
5. Write a one-paragraph explanation of each vulnerability you exploited and its fix.
Pick the best answer.
Trying request smuggling without the HTTP Request Smuggler extension and missing the desync. Forgetting WebSocket history exists and never testing WebSocket messages. Missing the OAuth state parameter check (the CSRF root cause). Misreading a CORS policy that reflects Origin with credentials as safe. Overlooking prototype pollution in JavaScript-heavy apps. Reporting an advanced bug without a clear, minimal reproduction.
Sign in and purchase access to unlock this lesson.