search

labs

hashtag
Lab - 1: HTTP request smuggling, basic CL.TE vulnerability (P)

  • This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.

  • send this request twice

POST / HTTP/1.1
Host: 0a540036047255c3c3ba1b66004300fe.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

  • front end server will accept all and back end will execute only 0 and G is left for the first request and G is appended to the second request and will get an error

hashtag
Lab - 2: HTTP request smuggling, basic TE.CL vulnerability (P)

  • This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.

POST / HTTP/1.1
Host: 0ae3007c043a9f14c0d3485f00be006d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Connection: keep-alive

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

  • Two Enter after 0 is important.

hashtag
Lab - 3: HTTP request smuggling, obfuscating the TE header (P)

  • This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.

hashtag
How to find

hashtag
Lab - 4: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses (P)

  • This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.

hashtag
Lab - 5: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses (P)

  • This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.

hashtag
How to exploit

hashtag
Lab - 6: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability (P)

  • This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.

  1. Try with

  • get 401 unauthorized

  • Duplicate header names are not allowed

  • get the admin panel

  • change the GET /admin/delete?username=carlos to solve the lab

hashtag
Lab - 7: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability (P)

  • This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.

  • front end is TE and send all the requests to the backend

  • backend is CL and in the first request, until 87 is processed and the rest are remained for the next round

  • 87 is hexadecimal which is 135 characters from GET /admin/... to x=4

hashtag
Lab - 8: Exploiting HTTP request smuggling to reveal front-end request rewriting (P)

  • This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but it's only accessible to people with the IP address 127.0.0.1. The front-end server adds an HTTP header to incoming requests containing their IP address. It's similar to the X-Forwarded-For header but has a different name. To solve the lab, smuggle a request to the back-end server that reveals the header that is added by the front-end server. Then smuggle a request to the back-end server that includes the added header, accesses the admin panel, and deletes the user carlos.

  • first test whether it is CL.TE or TE.CL and found that it is CL.TE

  • there is a search parameter in POST request and reflect back

  • to find which Header is responsible for IP address

  • and found that

  • after trying a little bit

hashtag
Lab - 9: Exploiting HTTP request smuggling to deliver reflected XSS (P)

  • This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The application is also vulnerable to reflected XSS via the User-Agent header. To solve the lab, smuggle a request to the back-end server that causes the next user's request to receive a response containing an XSS exploit that executes alert(1).

  • first test whether it is CL.TE or TE.CL and found that it is CL.TE

  • reflected XSS at blog post

hashtag
Lab - 10: H2.CL request smuggling (P)

  • This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length.

To solve the lab, perform a request smuggling attack that causes the victim's browser to load a malicious JavaScript file from the exploit server and call alert(document.cookie). The victim user accesses the home page every 10 seconds.

PreviousnotesNextInformation Disclosure

Last updated