search

HTTP Request Smuggling

Note

Websites that use HTTP/2 end-to-end are inherently immune to request smuggling attacks. As the HTTP/2 specification introduces a single, robust mechanism for specifying the length of a request, there is no way for an attacker to introduce the required ambiguity.

However, many websites have an HTTP/2-speaking front-end server, but deploy this in front of back-end infrastructure that only supports HTTP/1. This means that the front-end effectively has to translate the requests it receives into HTTP/1. This process is known as HTTP downgrading. For more information, see Advanced request smugglingarrow-up-right.

hashtag
Different behavior

  • CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.

  • TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.

  • TE.TE: the front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.

hashtag
Lab: HTTP request smuggling, basic CL.TE vulnerability

After sending the same request twice, we can see that GPOSTwas added behind POSTin the 2nd request.

Content-Length: 6
Transfer-Encoding: chunked

0

G

To solve the lab, just need to change GPOSTto Gand resend twice.

hashtag
Lab: HTTP request smuggling, basic TE.CL vulnerability

Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.

After which, send the request twice to solve the lab

hashtag
Lab: HTTP request smuggling, obfuscating the TE header

Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.

Send the request twice to solve the lab.

hashtag
Lab: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.

The last 2 lines will used for the next request sent. Send the request twice to solve the lab.

hashtag
Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1. Ensure that the Content-Length auto update is turned off.

To solve the lab, send the request twice.

hashtag
Lab: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.

After sending the request twice, we can see the admin panel. Now we just need to change the path to delete carlos

Sending this request twice to complete the lab.

hashtag
Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

After sending the request twice, we can see the admin panel

To solve the lab, modify the request to be what is shown below and send twice.

hashtag
Lab: Exploiting HTTP request smuggling to reveal front-end request rewriting

We will first modify the request to what is shown below.

After sending the request twice, we are able to see part of the request that is sent

We will modify the request again to show the admin panel

After sending the request 2 times, it will display the admin panel.

Finally we will modify the request to delete carlos

To solve the lab, we just need to send this request twice.

First, we will modify the request to be what is shown below.

After sending a few times, we will see this response. This means that the comments is successfully uploaded to the post

After refreshing the post page, we can see this

To solve the lab, we just need to replace that cookie in the browser.

hashtag
Lab: Exploiting HTTP request smuggling to deliver reflected XSS

The reflected XSS vulnerability is on the post comment page.

Whenever we make changes to the User-Agent header, we can see it on the form in the post comment section.

If we change our payload to a"><script>alert(1)</script>, we can see that the <script>tag is being injected into it.

To solve the lab, we will just this modified request a few times.

PreviousJWT AttacksNextHost Header Attacks

Last updated