search
The Hacker's Notes
githubEdit

HTTP Request Smuggling

hashtag
General

circle-info

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behavior of the two servers: Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header.

hashtag
HTML Smuggling

Attackers hosts a malicious file and can invite victim to download it using the HTML Smuggling technique.

hashtag
Exploitation

Attackers can use anchor tag to invite victim to download a malicious file as below. When clicking, the malicious file is downloaded as the name “payment.docx”.

<a href="/malicious_doc.docx" download="payment.docx">Cliek Here</a>

Alternatively, attackers can also use JavaScript, then let browsers to download a malicious file when loading the page, or invite victim to click download button.

var a = document.createElement('a');
a.download = 'malicious_doc.docx'

hashtag
Using JavaScript Blob

By using blob, attackers can let victim to download a malicious file while obfuscate its content by encoding/decoding malicious code.

// Decode Base64 encoded malicious code
var malBase64 = '<BASE64_ENCODED_CODE>';
var malBinStr = window.atob(malBase64);
var malLen = malBinStr.length;
var malBytes = new Uint8Array(malLen);
for (var i = 0; i < malLen; i++) {
    malBytes[i] = malBin.charCodeAt(i);
}

// Create a blob
// 'octet/stream' allows any file types.
var malBlob = new Blob([malBytes.buffer], {type: 'octet/stream'});
var malUrl = window.URL.createObjectURL(malBlob);

// Create a downloadable anchor (automatically download)
var a = document.createElement('a');
a.style.display = 'none';
a.href = malUrl;
a.download = 'mal.py';
document.body.appendChild(a);
// this anchor will be clicked automatically.
a.click();
document.body.removeChild(a);

hashtag
References

hashtag
HTTP Request Smuggling

It is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.

hashtag
Investigation

Assume the website has the following HTTP specification.

If we change "Content-Length" to "Transfer-Encoding" as follow, the data is sent in chunks to server. Each chunk consists of the chunk size in bytes (it is expressed in hexadecimal).

The message is terminated with a chunk of size zero.

By the way, Transfer-Encoding header is not allowed in HTTP/2.

hashtag
BurpSuite Usefule Extension

BurpSuite has the useful extension “HTTP Request Smuggler”.

hashtag
Tips

  • The chunked size is represented as Hexadecimal.

  • When calculating Content-Length , consider a newline as 2 bytes (\r\n).

hashtag
CL.TE (Content-Length . Transfer-Encoding)

The front-end server uses “Content-Length” header and the back-end server uses “Transfer-Encoding” header.

Send the following request twice.

If the response delays, we may be able to request smuggling.

hashtag
Exploit

The front-end server uses the “Content-Length” header, so

hashtag
TE.CL (Transfer-Encoding . Content-Length)

The front-end server uses “Trans-Encoding” header and the back-end server uses “Content-Length” header. Send the following request twice.

If you use BurpSuite, check the “Update Content-Length” option is unchecked to avoid BurpSuite automatically changes the Content-Length depending on data sent.

If the response delays, we may be able to request smuggling.

hashtag
Exploit

Send the following request twice.

hashtag
TE.TE (Transfer-Encoding . Transfer-Encoding)

Both the front-end server and the back-end server support the “Transfer-Encoding” header but one of the servers can be induced not to process it by obfuscating the header.

hashtag
CL.0 (Content-Length: 0)

If the target website ignores the Content-Length, you’re able to access the restricted page by request smuggling.

hashtag
1. Prepare the Two Same Requests

If you're using Burp Suite, send the target request to Repeater twice.

hashtag
2. Change the First Request to POST Request

hashtag
3. Set the "Content-Length: 0" in the First Request

hashtag
4. Set the "Connection: keep-alive" in the First Request

Now two requests should look like:

hashtag
5. Send Requests in Order

First off, if you're using Burp Suite, note that enabling the "Update Content-Length" in the Burp Repeater option. The sequence is Request 1 -> Request 2.

hashtag
HTTP/2 CL.0 (Content-Length: 0)

hashtag
1. Prepare Request

If you're using Burp Suite, note that disable "Update Content-Length" and enable "Allow HTTP/2 ALPN override" in the Burp Repeater option.

The request shoud look like:

hashtag
2. Send Request

Before doing, don't forget to expand the Inspector on the right in the Repeater and select "HTTP/2". Now send the request a few times.

hashtag
mod_proxy Misconfiguration on Apache ≥2.4.0, 2.4.55≤(CVE-2023-25690)

Reference: https://github.com/dhmosfunk/CVE-2023-25690-POCarrow-up-right

If target web server allows any characters (.*) in RewriteRule, it causes HTTP request smuggling.

hashtag
Send Request with CRLF (\r\n) Injection

hashtag
References

hashtag
Tools

hashtag
Samples

PreviousClickjackingNextWebSocket Pentesting

Last updated