Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

TE.CL smuggling labs - official solutions do not work

Max | Last updated: Feb 13, 2023 04:18PM UTC

The following labs don't seem to work / work stably. https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header To reproduce the bug, follow the official solution. Issue the request twice and note that nothing changes in the server response. Possible reason - the server configuration may have been accidentally updated.

Max | Last updated: Feb 13, 2023 04:21PM UTC

May be easier to reproduce with the following commands: If you want to try it without Burp, feel free to use the following commands: > cat smuggling.txt | openssl s_client -ign_eof -connect YOUR-LAB-ID.web-security-academy.net:443 > cat smuggling.txt POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: text/plain Content-length: 4 Origin: https://YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-LAB-ID.web-security-academy.net/post?postId=4 Connection: keep-alive Transfer-Encoding: chunked 5b GLOOL / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 3 x=1 0

Ben, PortSwigger Agent | Last updated: Feb 14, 2023 10:26AM UTC

Hi Max, I have just run through both of these labs and was able to solve them using the solution provided so they do appear to be working as expected. We have been having some intermittent issues with the Web Academy in the last few days that might have impacted this - to confirm, do you still have issues with these labs if you attempt to solve them using the solution as of right now?

Max | Last updated: Feb 15, 2023 08:49AM UTC

Hello Ben, Thank you for your input! Disabled all extensions and it worked. It appears PwnFox was modifying the request after it was issued; this probably has something to do with the removal of their custom header.

Bossart | Last updated: May 19, 2023 07:30AM UTC