Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

[HTTP Request Smuggling] Meaning of the requests used in smuggle probe (issue overview)

Maarten | Last updated: Aug 17, 2021 07:52PM UTC

In my issue summary I got a HTTP Request Smuggler alert consisting of 2 requests and 1 response (the other is a time-out I guess). One request is like: ... Transfer-Encoding : chunked Content-Length: 50 Connection: keep-alive 27 aiazp=x&UserId=93&action=Change&txasg=x 1 Z Q \n (empty line, so cursor will be on next line) The other is like: ... Transfer-Encoding : chunked Content-Length: 50 Connection: keep-alive 27 bal8k=x&UserId=93&action=Change&y5t4l=x 0 \n (empty line, so cursor will be on next line) Do these represent the CL.TE and TE.CL scenarios/orientations (from the write-up/blog post), respectively? Or is the second some sort of base request (since content length and amount of characters, including transfer encoding numbers like 27, match exactly, thus 50)? (FYI: It does not yield a delay.) If second represents the TE.CL probe, it is not in line with the write-up, which mentions for TE.CL: ... Transfer-Encoding : chunked Content-Length: 6 Connection: keep-alive 0 \n (empty line, so cursor will be on next line) X So the first and last chunk (i.e., empty one), will occupy 5 chars, and the backend (reading content-length) will wait for the last character that will never arrive.

Uthman, PortSwigger Agent | Last updated: Aug 18, 2021 08:47AM UTC