Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

[HTTP Request Smuggling] Meaning of the requests used in smuggle probe (issue overview)

Maarten | Last updated: Aug 17, 2021 07:52PM UTC

In my issue summary I got a HTTP Request Smuggler alert consisting of 2 requests and 1 response (the other is a time-out I guess). One request is like: ... Transfer-Encoding : chunked Content-Length: 50 Connection: keep-alive 27 aiazp=x&UserId=93&action=Change&txasg=x 1 Z Q \n (empty line, so cursor will be on next line) The other is like: ... Transfer-Encoding : chunked Content-Length: 50 Connection: keep-alive 27 bal8k=x&UserId=93&action=Change&y5t4l=x 0 \n (empty line, so cursor will be on next line) Do these represent the CL.TE and TE.CL scenarios/orientations (from the write-up/blog post), respectively? Or is the second some sort of base request (since content length and amount of characters, including transfer encoding numbers like 27, match exactly, thus 50)? (FYI: It does not yield a delay.) If second represents the TE.CL probe, it is not in line with the write-up, which mentions for TE.CL: ... Transfer-Encoding : chunked Content-Length: 6 Connection: keep-alive 0 \n (empty line, so cursor will be on next line) X So the first and last chunk (i.e., empty one), will occupy 5 chars, and the backend (reading content-length) will wait for the last character that will never arrive.

Uthman, PortSwigger Agent | Last updated: Aug 18, 2021 08:47AM UTC

Hi Michael, This does look like a CL.TE/TE.CL issue, as you mentioned, since one request is timing out whilst the other is not. It appears to be the behavior under the 'Confirming HTTP request smuggling vulnerabilities using differential responses' section (https://portswigger.net/web-security/request-smuggling/finding). The first request should attempt to trigger the timeout by not adding \r\n\r\n at the end of the request after the payload. The second request would include the \r\n\r\n sequence so that it is seen as a 'normal' request (https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.1). However, are you seeing two requests with \r\n\r\n at the end? Can you please email support@portswigger.net with the full request/response related to the reported issue?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.