Portswigger Academy HTTP request smuggling Labs

Introduction

What?

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.

Why?

Request smuggling vulnerabilities are often critical in nature, and can be exploited to bypass security controls, gain unauthorised access to sensitive data, directly compromise other application users, to conduct phishing attacks, cache poisoning, cross-site scripting (XSS), and more. More information regarding exploiting this vulnerability was published by James Kettle during BlackHAT USA 2019, titled HTTP Desync Attacks: Request Smuggling Reborn.

How?

• HTTP Request smuggling techniques

• HTTP request smuggling, basic CL.TE vulnerability

• HTTP request smuggling, basic TE.CL vulnerability

• HTTP request smuggling, obfuscating the TE header

• HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

• HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

• Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

• Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

• Exploiting HTTP request smuggling to reveal front-end request rewriting

• Exploiting HTTP request smuggling to capture other users’ requests

• Exploiting HTTP request smuggling to deliver reflected XSS

• Response queue poisoning via H2.TE request smuggling

• H2.CL request smuggling

• HTTP/2 request smuggling via CRLF injection

• HTTP/2 request splitting via CRLF injection

• CL.0 request smuggling

• Exploiting HTTP request smuggling to perform web cache poisoning

• Exploiting HTTP request smuggling to perform web cache deception

• Bypassing access controls via HTTP/2 request tunnelling

• Web cache poisoning via HTTP/2 request tunnelling

• Client-side desync

• Browser cache poisoning via client-side desync

• Server-side pause-based request smuggling