Request Smuggling

Summary

• Tools

• CL.TE vulnerabilities

• TE.CL vulnerabilities

• TE.TE behavior: obfuscating the TE header

• References

Tools

• HTTP Request Smuggler / BApp Store

• Smuggler

CL.TE vulnerabilities

The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

Example:

Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

TE.CL vulnerabilities

The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.

Example:

⚠️ To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.

Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl

TE.TE behavior: obfuscating the TE header

The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.

Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header

References

• PortSwigger - Request Smuggling Tutorial and PortSwigger - Request Smuggling Reborn

• A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16