HTTP Request Smuggling
Note
Websites that use HTTP/2 end-to-end are inherently immune to request smuggling attacks. As the HTTP/2 specification introduces a single, robust mechanism for specifying the length of a request, there is no way for an attacker to introduce the required ambiguity.
However, many websites have an HTTP/2-speaking front-end server, but deploy this in front of back-end infrastructure that only supports HTTP/1. This means that the front-end effectively has to translate the requests it receives into HTTP/1. This process is known as HTTP downgrading. For more information, see Advanced request smuggling.
Different behavior
CL.TE: the front-end server uses the
Content-Lengthheader and the back-end server uses theTransfer-Encodingheader.TE.CL: the front-end server uses the
Transfer-Encodingheader and the back-end server uses theContent-Lengthheader.TE.TE: the front-end and back-end servers both support the
Transfer-Encodingheader, but one of the servers can be induced not to process it by obfuscating the header in some way.
Lab: HTTP request smuggling, basic CL.TE vulnerability
After sending the same request twice, we can see that GPOSTwas added behind POSTin the 2nd request.
Content-Length: 6
Transfer-Encoding: chunked
0
G
To solve the lab, just need to change GPOSTto Gand resend twice.
Lab: HTTP request smuggling, basic TE.CL vulnerability
Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.
After which, send the request twice to solve the lab
Lab: HTTP request smuggling, obfuscating the TE header
Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.
Send the request twice to solve the lab.
Lab: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.
The last 2 lines will used for the next request sent. Send the request twice to solve the lab.
Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1. Ensure that the Content-Length auto update is turned off.
To solve the lab, send the request twice.
Lab: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
Add this to the request to the home page and change the request from GET to POST and change from HTTP/2 to HTTP/1.1.
After sending the request twice, we can see the admin panel. Now we just need to change the path to delete carlos
Sending this request twice to complete the lab.
Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
After sending the request twice, we can see the admin panel
To solve the lab, modify the request to be what is shown below and send twice.
Lab: Exploiting HTTP request smuggling to reveal front-end request rewriting
We will first modify the request to what is shown below.
After sending the request twice, we are able to see part of the request that is sent
We will modify the request again to show the admin panel
After sending the request 2 times, it will display the admin panel.
Finally we will modify the request to delete carlos
To solve the lab, we just need to send this request twice.
First, we will modify the request to be what is shown below.
After sending a few times, we will see this response. This means that the comments is successfully uploaded to the post
After refreshing the post page, we can see this
To solve the lab, we just need to replace that cookie in the browser.
Lab: Exploiting HTTP request smuggling to deliver reflected XSS
The reflected XSS vulnerability is on the post comment page.
Whenever we make changes to the User-Agent header, we can see it on the form in the post comment section.
If we change our payload to a"><script>alert(1)</script>, we can see that the <script>tag is being injected into it.
To solve the lab, we will just this modified request a few times.
Last updated