Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP Request Smuggling

mlhblbl | Last updated: Feb 11, 2022 02:41PM UTC

I don't understand how the content-length of the smuggler request is calculated in the lab that works as te.cl in request smuggling Can you help me 15 where does it come from? (It accepts limits between 10-15, I get an invalid request error for values ​​less than 9 and 9.).The solution given by portwigger: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0

[ | Last updated: Feb 11, 2022 02:59PM UTC

it is also my question that why we should enter two lines spacing and then adding something like : x=1 0 and if we use just POST instead of GPOST what is the difference between them! Is there some prerequisites that should we learn to analyze these http requests?

mlhblbl | Last updated: Feb 11, 2022 03:09PM UTC

two line spacing was a point that I didn't understand either. I can reference this article to you "https://medium.com/nerd-for-tech/http-request-smuggling-part-1-concepts-b89bfe17b210#9ea9". In short, the "chunked" feature needs one blank line after the 0 sign in order to understand that the request has ended. As for GPOST, since the lab only accepts GET and POST requests, we understand that this security measure has been bypassed by the GPOST method going to the server.

Ben, PortSwigger Agent | Last updated: Feb 14, 2022 06:43PM UTC

Hi, If you take a look in our article here - https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn - we state the following: "The TE.CL attack looks similar, but the need for a closing chunk means we need to specify all the headers ourselves and place the victim request in the body. Ensure the Content-Length in the prefix is slightly larger than the body." The Content-Length value needs to be at least 10 because that is how big the body of the victim request is - we have then made this slightly larger in line with the advice above. The final line of an HTTP request needs to be \r\n. In practicality, this equates to two carriage returns, due to the carriage return on the previous line (\r\n\r\n). If you enable the non-printable characters (\n) in the Repeater, you will see these characters.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.