Burp Suite User Forum

Login to post

Problem with "Lab: HTTP request smuggling, basic CL.TE vulnerability"

zinw | Last updated: Aug 12, 2021 03:12PM UTC

Hi. I have problem with "Lab: HTTP request smuggling, basic CL.TE vulnerability", don't know what to do! Burp Community 2021.8, last version with HTTP Request Smuggler extension. What I did. Start lab https://ac021f591eff0519807511bd004c0001.web-security-academy.net/ Run Smuggle probe Get output, see below And I try lot of things...but don't know what to do next. From https://github.com/portswigger/http-request-smuggler 5.If you're using Burp Suite Community, copy the request from the output tab and paste it into the repeater, then complete the 'Target' details on the top right. 6.Right click on the request and select 'Smuggle attack (CL.TE)'. 7.Change the value of the 'prefix' variable to 'G', then click 'Attack' and confirm that one response says 'Unrecognised method GPOST'. By changing the 'prefix' variable in step 7, you can solve all the labs and virtually every real-world scenario. "copy the request from the output tab" What request? This request https://ac021f591eff0519807511bd004c0001.web-security-academy.net ? "then complete the 'Target' details on the top right." Configure target details Host: ac021f591eff0519807511bd004c0001.web-security-academy.net Port: 443 "Right click on the request and select 'Smuggle attack (CL.TE)'" I don't have that? I have this Extension - HTTP Request Smuggler - Smugle probe - HTTP/2 probe - HTTP/2 Tunnel probe TE - HTTP/2 Tunnel probe CL - HTTP/2 hidden probe - HTTP/2 scheme probe - HTTP/2 dual:path probe - HTTP/2 method probe What I'm doin't wrong here? Thanks for your help!!! Output: Using albinowaxUtils v0.4 Loaded HTTP Request Smuggler v2.0 Updating active thread pool size to 8 Loop 0 Queued 1 attacks from 1 requests in 0 seconds TImeout with response. Start time: 1628691617549 Current time: 1628691627827 Difference: 10278 Tolerance: 10000 Unexpected report with response Found issue: Possible HTTP Request Smuggling: CL.TE multiCase (delayed response) Target: https://ac021f591eff0519807511bd004c0001.web-security-academy.net Burp issued a request, and got a response. Burp then issued the same request, but with a shorter Content-Length, and got a timeout.<br/> This suggests that the front-end system is using the Content-Length header, and the backend is using the Transfer-Encoding: chunked header. You should be able to manually verify this using the Repeater, provided you uncheck the 'Update Content-Length' setting on the top menu. <br/>As such, it may be vulnerable to HTTP Desync attacks, aka Request Smuggling. <br/>To attempt an actual Desync attack, right click on the attached request and choose 'Desync attack'. Please note that this is not risk-free - other genuine visitors to the site may be affected.<br/><br/>Please refer to the following posts for further information: <br/><a href="https://portswigger.net/blog/http-desync-attacks">https://portswigger.net/blog/http-desync-attacks</a><br/><a href="https://portswigger.net/research/http-desync-attacks-what-happened-next">https://portswigger.net/research/http-desync-attacks-what-happened-next</a><br/><a href="https://portswigger.net/research/breaking-the-chains-on-http-request-smuggler">https://portswigger.net/research/breaking-the-chains-on-http-request-smuggler</a> Evidence: ====================================== POST /academyLabHeader HTTP/1.1 Host: ac021f591eff0519807511bd004c0001.web-security-academy.net Connection: close Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Upgrade: websocket Origin: https://ac021f591eff0519807511bd004c0001.web-security-academy.net Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded Content-Length: 13 tRANSFER-ENCODING: chunked 3 x=y 0 ====================================== POST /academyLabHeader HTTP/1.1 Host: ac021f591eff0519807511bd004c0001.web-security-academy.net Connection: close Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Upgrade: websocket Origin: https://ac021f591eff0519807511bd004c0001.web-security-academy.net Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded Content-Length: 19 tRANSFER-ENCODING: chunked 3 x=y 1 Z Q ====================================== POST /academyLabHeader HTTP/1.1 Host: ac021f591eff0519807511bd004c0001.web-security-academy.net Connection: close Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Upgrade: websocket Origin: https://ac021f591eff0519807511bd004c0001.web-security-academy.net Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded Content-Length: 13 tRANSFER-ENCODING: chunked 3 x=y 1 Z Q ====================================== Error in thread: null. See error pane for stack trace. Updating active thread pool size to 8 Loop 0 Queued 1 attacks from 1 requests in 0 seconds Completed 2 of 2 in 14 seconds with 79 requests, 0 candidates and 0 findings Updating active thread pool size to 8 Loop 0 Queued 1 attacks from 1 requests in 0 seconds Completed 3 of 3 in 1 seconds with 83 requests, 0 candidates and 0 findings

Hannah, PortSwigger Agent | Last updated: Aug 13, 2021 09:40AM UTC

Hi Are you sure that you are looking at the basic CL.TE vulnerability lab? Have you tried looking at the written solution or community solution for the lab?

zinw | Last updated: Aug 13, 2021 01:42PM UTC

Yes, I first solve labs by myself. Then, try to solve labs with extension, and I can't manage to figure out how to do that.

zinw | Last updated: Aug 14, 2021 03:08PM UTC

Hi again. I find this video https://www.youtube.com/watch?v=GB5DJfZtpBs&ab_channel=Cobalt When I solve lab by hand, I get "Lab: Solved". In that video at 26 min is about automation. Everything works like in video, but I can't get "Lab: Solved", it is "Lab: Not solved". Why is that?

Hannah, PortSwigger Agent | Last updated: Aug 20, 2021 11:58AM UTC

Hi The lab is looking for a specific request/response using the method GPOST. The request smuggling extension can confirm the presence of a request smuggling vulnerability but isn't submitting the specific text needed to make "GPOST".

You need to Log in to post a reply. Or register here, for free.