search
Page cover

HTTP Request Smuggling

É uma técnica para interferir na maneira como um site processa sequências de solicitações HTTP recebidas de um ou mais usuários.

hashtag
Investigationarrow-up-right

Assume the website has the following HTTP specification.

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=admin&password=admin
Copied!

If we change "Content-Length" to "Transfer-Encoding" as follow, the data is sent in chunks to server. Each chunk consists of the chunk size in bytes (it is expressed in hexadecimal).

The message is terminated with a chunk of size zero.

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1d
username=admin&password=admin
0
Copied!

By the way, Transfer-Encoding header is not allowed in HTTP/2.

hashtag
Exploitation Automaticallyarrow-up-right

BurpSuite has the useful extension “HTTP Request Smuggler”.

hashtag
CL.TE (Content-Length . Transfer-Encoding)arrow-up-right

The front-end server uses “Content-Length” header and the back-end server uses “Transfer-Encoding” header.

Send the following request twice.

If the response delays, we may be able to request smuggling.

hashtag
Exploitationarrow-up-right

The front-end server uses the “Content-Length” header, so

hashtag
TE.CL (Transfer-Encoding . Content-Length)arrow-up-right

The front-end server uses “Trans-Encoding” header and the back-end server uses “Content-Length” header. Send the following request twice.

If you use BurpSuite, check the “Update Content-Length” option is unchecked to avoid BurpSuite automatically changes the Content-Length depending on data sent.

If the response delays, we may be able to request smuggling.

hashtag
Exploitationarrow-up-right

Send the following request twice.

hashtag
TE.TE (Transfer-Encoding . Transfer-Encoding)arrow-up-right

Both the front-end server and the back-end server support the “Transfer-Encoding” header but one of the servers can be induced not to process it by obfuscating the header.

hashtag
CL.0 (Content-Length: 0)arrow-up-right

If the target website ignores the Content-Length, you’re able to access the restricted page by request smuggling.

hashtag
1. Prepare the Two Same Requestsarrow-up-right

If you're using Burp Suite, send the target request to Repeater twice.

hashtag
2. Change the First Request to POST Requestarrow-up-right

hashtag
3. Set the "Content-Length: 0" in the First Requestarrow-up-right

hashtag
4. Set the "Connection: keep-alive" in the First Requestarrow-up-right

Now two requests should look like:

hashtag
5. Send Requests in Orderarrow-up-right

First off, if you're using Burp Suite, note that enabling the "Update Content-Length" in the Burp Repeater option. The sequence is Request 1 -> Request 2.

hashtag
HTTP/2 CL.0 (Content-Length: 0)arrow-up-right

hashtag
1. Prepare Requestarrow-up-right

If you're using Burp Suite, note that disable "Update Content-Length" and enable "Allow HTTP/2 ALPN override" in the Burp Repeater option.

The request shoud look like:

hashtag
2. Send Requestarrow-up-right

Before doing, don't forget to expand the Inspector on the right in the Repeater and select "HTTP/2". Now send the request a few times.

hashtag
mod_proxy Misconfiguration on Apache ≥2.4.0, 2.4.55≤(CVE-2023-25690)arrow-up-right

Reference: https://github.com/dhmosfunk/CVE-2023-25690-POCarrow-up-right

If target web server allows any characters (.*) in RewriteRule, it causes HTTP request smuggling.

hashtag
Send Request with CRLF (\r) Injectionarrow-up-right

hashtag
References

PreviousCrawl/FuzzNextApi keys

Last updated