In this article we are telling you about HTTP Request Smuggling Vulnerability like what is HTTP Request Smuggling Vulnerability and how this bug is found in a website.
Here you may not have heard the name of HTTP Request Smuggling Vulnerability before because this bug is not talked about too much but it is also a bug that if you get in a website, you can get good bounty.
Here all this is being told to you for educational purpose, I hope that you will never misuse it in any way, here we are telling you both theory as well as practical.
Before explaining about HTTP Request Smuggling Vulnerability in detail, we want to make you clear one thing if you read this article properly, then only you can understand it correctly.
Note – This article is only for educational purpose. Don’t miss use your knowledge and skills.
HTTP Request Smuggling Vulnerability ?
Before going about the HTTP Request Smuggling Vulnerability practically, you must know about some terms about it, only then you can understand the HTTP Request Smuggling Vulnerability.
As the name itself suggests, smuggling we all know very well what is meant by smuggling where any illegal thing is sent in some way hidden with legal thing.
Before going about HTTP Request Smuggling Vulnerability, it is very important to understand some of the things captured by burp suite, only then you can understand it completely.
As you may have seen this many times, you HTTP 1.1 shows you many times in the request, just like it first HTTP 1.0 used to be, you have to understand both of them.
Let us try to understand this by example, like the number of images on the home page of our website, which are loaded, you have all these connections at once, because all of them are destroyed. Works on HTTP 1.1
If here. In such a case, if there are 10 images on our website, in such a request, the request goes to the server after each image, only then you have the image loaded one by one while Connection is made only once in HTTP 1.1 and does not close
Let us now tell you about the http pipeline. Here you have to understand two things: front end server and back end server. If you understand both these terms, then only you can understand HTTP Request Smuggling.
Let us understand this by example, such as when a visitor comes to his website more than his limit, in such a way, front end server works here, front end server load balancer works here.
In this way, both front end server and back end server work together in the background and here the front end server makes connection only once, after that it is aware of as many requests as it wants.
You must have seen something like this in your burp suite many times whenever you capture some kind of request, here all this means you are shown in the image, you can see this
Here you have to break the \r\n\ line that is being shown in the burp suite which is never shown in the burp suite but it happens that you capture any kind of request, you get the same \r\n\ in all.
Here you see the content length and transfer encoding in the image which we also know as CL and TE, which you get even when solving labs on portswigger.
Here the content length means the content given in the body like hello is written in the image here the content length is 5, in the same way, in encoding the transfer, you can see that you get chunked whenever you get something like this.
In such a case, the server itself has to find out how much is given in the content length request, as you can see in the image here the space is also counted, so you are shown 5 and 6.
As you can see in the image, here the content length is also given in the request, as well as transfer encoding is given here, in such a situation, if both are found in a request, then the content length is ignored. This is how HTTP Request Smuggling Vulnerability works.
Here in HTTP Request Smuggling Vulnerability is not so much as you read this article completely, in such a way you understand it yourself, here CL and TE have been told about you in this article.
Also Read
What are dom based vulnerabilities
File path traversal vulnerability
What is host header injection attack
HTTP Request Smuggling Vulnerability Labs ?
Here we are telling you to solve three labs of HTTP Request Smuggling Vulnerability. Here we are also telling you how this bug is used with cross site scripting.
HTTP request smuggling basic CL.TE vulnerability ?
Let us now tell you by solving labs of HTTP Request Smuggling Vulnerability as you can see CL TE here means to ignore Content length and use Transfer encoding.
https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
Like this, you get labs of TE CL where you have to ignore transfer encoding and use Content length, similarly you also get labs of TE TE here, here we are telling you to solve three labs.
Here first you have to access lab as you can see in the image, before accessing lab you have to run the burp suite normally as you have been told in all the earlier articles.
After accessing the lab you get a get request in http history in burp suite in such a way as you can see in the image here that it has to send the request to repeater.
After sending the repeater, you have to make changes in the request in this way, after doing this you have to send the request and you will be able to see in the other response, you will get some response in this way.
Here we want to tell you something like you have been told here that the content length is ignored and transfer encoding is used, in this way you can see the content length 0 show is happening.
How to do os command injection attack
In such a way, when transfer encoding is used, as you are told in the image, after \r\n\ there is a break, in such a case you are getting g at last, it gets added to the response of the request as if you are seeing GPOST.
As soon as all this happens, you will be able to see your lab solve as you can see in the image, you have got the message of congratulations here, you can solve this other lab too.
HTTP request smuggling confirming a CL.TE vulnerability via differential responses ?
First of all, you have to run the burp suite normally as you have been told in the lab above, you have to do something similar here too, after doing all this you can solve this lab.
There are other ways to find HTTP Request Smuggling Vulnerability as you have been told about CL TE, similarly you are also being told about other labs here, first of all you have to access lab.
After accessing lab you get url like this in burp suite’s http history, here you have to send this request to repeater, after sending something like this you have to make changes.
What is web cache poisoning vulnerability
After sending the request to the request repeater, you have to make some changes like this, here you get a response in this way when you send the request for the first time, here you are not being told its effect
In this way, you have to send the same request a second time and you will see that you get an error of 404 not found in this way, this lab also resolves as soon as this happens.
After doing all this, you will be able to see the message of congratulations as you get on solving all the labs, the same way you are shown here as well you get more labs of this which you can solve.
Exploiting HTTP request smuggling to deliver reflected XSS ?
In the same way, you can use HTTP Request Smuggling Vulnerability with XSS attack as well, as you have been told about XSS reflected in cross site scripting attacks, if you have not read our article, then you must read it.
https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss
Here first you have to access lab, after accessing lab, your summons are displayed a few posts, you can open any post like we have open post here.
In such a case, you will get the post id in http history as you can see in the image, you have to send this request to the repeater as we have done in earlier labs.
After sending the repeater, you have to make some changes like this, here you get all this code along with lab, you also have to send the request by making changes in the same way.
After doing all this, you will be able to see as if we have used script alert here, it becomes popup and shows you, in this way you also get cross site scripting attacks.
What is server side request forgery ssrf
After doing all this, you will be able to see you will get a message of congratulations and also this lab will be solved as you can see in the image, you get more labs of HTTP Request Smuggling Vulnerability which you can try by yourself.
The Conclusion
I hope now you know about HTTP Request Smuggling Vulnerability. We have told you here by solving three labs of HTTP Request Smuggling Vulnerability.
Here we want to make you clear one thing, if you do not read this article correctly, in such a situation you cannot understand HTTP Request Smuggling Vulnerability because it is necessary to understand some terms.
If you have any kind of problem in solving the labs of HTTP Request Smuggling Vulnerability here, in this way you can ask us in a comment, we will help you completely.
If you like this article of ours, then you must share it, as well as you can also tell on which topic you want articles, if you have any question, you can still ask in the comment.
Subscribe to our blog for latest updates
Sharing is Caring
Thankyou
Leave a Reply