Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

HTTP Request Smuggling

mlhblbl | Last updated: Feb 28, 2022 01:29PM UTC

I saw that info: """Some important considerations should be kept in mind when attempting to confirm request smuggling vulnerabilities via interference with other requests: The "attack" request and the "normal" request should be sent to the server using different network connections. Sending both requests through the same connection won't prove that the vulnerability exists. """ when I was reading https://portswigger.net/web-security/request-smuggling/finding. I understand that there can be no proof in the poisoned connection, but it must be the same connection for the request smuggling to occur. I can't get out of this paradox can you help me?

Luca | Last updated: Jul 10, 2022 01:39PM UTC

I have run into this post while searching for something else and I have realised I wonder the same. An answer from support would be welcome

Hannah, PortSwigger Agent | Last updated: Jul 11, 2022 09:54AM UTC

Reusing connections can cause desynchronization between yourself and the front-end of the website, rather than yourself and the back-end of the website.

This means that it can look like the system is vulnerable when in reality you are only exploiting yourself, which leads to false positives.

You may find this section of our research paper helpful

Valzuun01 | Last updated: Jul 13, 2022 11:10AM UTC