Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

typo in academy example for TE.CL vulnerability?

Peter | Last updated: Apr 26, 2022 05:57PM UTC

In this learning material page: https://portswigger.net/web-security/request-smuggling#te-cl-vulnerabilities is the next example shown: ---------------------------------------- POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 ------------------------------- Since 'SMUGGLED\r\n' is 10 characters long, it feels to me that the 8 should be 'a' In my repeater test, with an 'a' I get immeditely repsonse, with the 8 I get an timeout "error":"Read timeout after 10000ms" Am I correct?

Michelle, PortSwigger Agent | Last updated: Apr 27, 2022 11:01AM UTC

Thanks for your message. When you tested the request with the 8 did you include the trailing sequence /r/n/r/n following the final 0 (as this would affect the response)? What response did you receive when you changed the value to 'a'? In the example, the front-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be 8 bytes long, i.e. to the start of the line following SMUGGLED. The second chunk is then processed, which is stated to be zero-length, and so is treated as terminating the request. This request is forwarded to the backend server. The backend server processes the Content-Length header and determines that the request body is 3 bytes long, up to the start of the line following 8. The following bytes, starting with SMUGGLED, are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence. I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.