HTTP Request Smuggling
É uma técnica para interferir na maneira como um site processa sequências de solicitações HTTP recebidas de um ou mais usuários.
Assume the website has the following HTTP specification.
If we change "Content-Length" to "Transfer-Encoding" as follow, the data is sent in chunks to server. Each chunk consists of the chunk size in bytes (it is expressed in hexadecimal).
The message is terminated with a chunk of size zero.
By the way, Transfer-Encoding header is not allowed in HTTP/2.
BurpSuite has the useful extension “HTTP Request Smuggler”.
The front-end server uses “Content-Length” header and the back-end server uses “Transfer-Encoding” header.
Send the following request twice.
If the response delays, we may be able to request smuggling.
The front-end server uses the “Content-Length” header, so
The front-end server uses “Trans-Encoding” header and the back-end server uses “Content-Length” header. Send the following request twice.
If you use BurpSuite, check the “Update Content-Length” option is unchecked to avoid BurpSuite automatically changes the Content-Length depending on data sent.
If the response delays, we may be able to request smuggling.
Send the following request twice.
Both the front-end server and the back-end server support the “Transfer-Encoding” header but one of the servers can be induced not to process it by obfuscating the header.
If the target website ignores the Content-Length, you’re able to access the restricted page by request smuggling.
If you're using Burp Suite, send the target request to Repeater twice.
Now two requests should look like:
First off, if you're using Burp Suite, note that enabling the "Update Content-Length" in the Burp Repeater option. The sequence is Request 1 -> Request 2.
If you're using Burp Suite, note that disable "Update Content-Length" and enable "Allow HTTP/2 ALPN override" in the Burp Repeater option.
The request shoud look like:
Before doing, don't forget to expand the Inspector on the right in the Repeater and select "HTTP/2". Now send the request a few times.
Reference: https://github.com/dhmosfunk/CVE-2023-25690-POC
If target web server allows any characters (.*
) in RewriteRule
, it causes HTTP request smuggling.
References
Last updated