Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

An incorrect example in the "Exploiting HTTP request smuggling" section on the Web Security Academy.

Nam | Last updated: Jul 17, 2023 04:37AM UTC

In one of the "Revealing front-end request rewriting" examples, the Content-Length is wrong. POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 130 Transfer-Encoding: chunked 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 email=POST /login HTTP/1.1 Host: vulnerable-website.com ... In the above example, the first "Content-Length" is 130 while it should be 135. This is because the first request's body are supposed to be: 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 email= The above request body has a length of 135 bytes. Therefore, "Content-Length: 135" I hope you can fix the incorrect example so learners won't get confused. Besides that, I really love the content on Web Security Academy. Thanks a lot!

Ben, PortSwigger Agent | Last updated: Jul 18, 2023 12:33PM UTC

Hi, Just to confirm, the smuggled request is the text that is shown in orange in the page that you have mentioned. This has a Content-Length of 130.

Nam | Last updated: Jul 19, 2023 03:18AM UTC

Hi Ben, I agree with you that the smuggled request is the text in orange (which hash Content-Length of 130). However, the "Content-Length" in the example must also include "0\r\n\r\n" which precedes the smuggled request. In that case, it has 135=130+5 as Content-Length. Please refer to my tweet for details https://twitter.com/ApinLusen/status/1681502303331979264. Hope everything is clear to you.

Ben, PortSwigger Agent | Last updated: Jul 21, 2023 07:20AM UTC