d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • How it works
  • Content-Length
  • Transfer-Encoding
  • Different types of request sumuggling
  • CL.TE
  • TE.CL
  • TE.TE
  • HTTP/2 downgrade attacks
  • Further reading
Edit on GitHub
  1. Exploitation
  2. Web

HTTP Request smuggling

PreviousOS command injectionNextInsecure deserialization

Last updated 2 years ago

HTTP request smuggling is a security exploit on the HTTP protocol that uses inconsistency between the interpretation of Content-Length and/or Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain. It was first documented in 2005 by Linhart et al.

--

How it works

  • Place both Content-Length (CL) and Transfer-Encoding (TE) headers into a single HTTP request. OR

  • Infrastructure uses HTTP/2, but not end-to-end, e.g. FE downgrades requests to HTTP/1 for BE.

Content-Length

The Content-Length entity-header field indicates the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent had the request been a GET.

From the

Be aware that linebreaks (\r) are 2 octets/bytes long.

Example

POST / HTTP/1.1
Host: website.com
Content-Length: 11

test\r\n
123\r

Calculation

  • "test": 4 bytes

  • linebreak (\r\n): 2 bytes

  • "123": 3 bytes

  • linebreak (\r\n): 2 bytes => Content-Length: 11

Transfer-Encoding

The Transfer-Encoding general-header field indicates what (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient. This differs from the content-coding in that the transfer-coding is a property of the message, not of the entity.

  • For this vulnerability type we're only interested in the chunked option.

  • Each chunk starts with a hexadecimal number, determining the length of the chunk, followed by a linebreak (\r), followed by the acutal data (chunk), followed by another linebreak (\r).

  • The terminating chunk has a length of 0, an empty chunk and another linebreak, after the "empty chunk".

Example

POST / HTTP/1.1
Host: website.com
Transfer-Encoding: chunked

4\r\n
test\r\n
3\r\n
123\r\n
0\r\n
\r

Different types of request sumuggling

CL.TE

Frontend uses Content-Length, backend Transfer-Encoding.

POST / HTTP/1.1
Host: website.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED
  • Frontend determines the request body is 13 bytes long (up to the end of "SMUGGLED").

  • Backend determines the first chunk is 0 and terminates the request. => "SMUGGLED" is then treated as the start of next request.

TE.CL

Frontend uses Transfer-Encoding, backend Content-Length.

POST / HTTP/1.1
Host: website.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0
  • Frontend determines the request body has one 8 byte long chunk (up to the end of "SMUGGLED").

  • Backend determines the request body is 3 bytes long ("8" plus 2 bytes for the following linebreak, right up until the start of "SMUGGLED"). => "SMUGGLED" is then treated as the start of the next request.

TE.TE

Both support Transfer-Encoding, but the header can be obfuscated to be only processed by one of them. This leads to either CL.TE or TE.CL depending on wether frontend or backend then uses Content-Length instead of Transfer-Encoding.

Examples

Transfer-Encoding: xchunked
Transfer-Encoding:<tab>chunked
Transfer-Encoding : chunked
[...]

HTTP/2 downgrade attacks

If HTTP/2 is not used end-to-end, but only by frontend servers, which then downgrade requests to HTTP/1 for backend servers, quite a few potential attacks are possible.

H2.CL

Eventhough HTTP/2 doesn't use a Content-Length header, some frontend servers may nevertheless copy it over when downgrading a request to HTTP/1.

H2.TE

Basically the same as H2.CL, but regarding Transfer-Encoding header.

HTTP/2 exclusive vectors

  • Injecting linebreaks into HTTP/2 requests, like: foo: bar\r\nTransfer-Encoding: chunked

  • Sending the Host header together with :authority pseudo-header may enable a range of "Host header attacks"

  • Supplying ambiguous path by applying the :path pseudo-header twice with different values

  • Injecting a HTTP/1 request line in :method pseudo-header, like :method GET /whatever HTTP/1.1

  • Injecting a URL prefix into :scheme pseudo-header, like: :scheme https://evil-site.com?

  • Injecting newlines into pseudo-headers, like: :path /path HTTP/1.1\r\nTransfer-Encoding: chunked\r\nX: x

Further reading

From the

For more examples see .

For details, see .

Wikipedia
PortSwigger - Web Security Academy - HTTP request smuggling
HTTP RFC (RFC2616, 14.13)
HTTP RFC (RFC2616, 14.41)
PortSwigger - Web Security Academy - TE.TE behavior: obfuscating the TE header
PortSwigger - Web Security Academy - HTTP/2-exclusive vectors
PortSwigger - Web Security Academy - Finding HTTP request smuggling vulnerabilities
PortSwigger - Web Security Academy - Exploiting HTTP request smuggling vulnerabilities
PortSwigger - Web Security Academy - Advanced request smuggling
PortSwigger - Web Security Academy - Response queue poisoning
PortSwigger - Web Security Academy - HTTP/2-exclusive vectors
PortSwigger - Web Security Academy - HTTP request tunnelling