There's a BApp for that: HTTP Request Smuggler

This tool is designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities and aids exploitation by handling cumbersome offset-tweaking for you. - Turbo Intruder is a dependency of this tool. https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

On occasion, this type of attack can result in Authorization bypass (https://hackerone.com/reports/694604) and XSS among other vulnerabilities (https://hackerone.com/reports/955170).

Zachary Stashis

Contents:

1. Installation

2. Usage

3. Basic Usage

4. LAB: HTTP request smuggling, basic CL.TE vulnerability (front-end server doesn't support chunked encoding

5. Resources

6. Videos

(1) Installation

Confirm "Turbo Intruder" is installed (it is a requirement)

Extender > BApp Store > HTTP Request Smuggler > Select "Install"

(2) Usage

Because it is hard to find a target to run this on for example's sake, I will be doing the portswigger challenge labs.

(3) Basic Usage

Right-click on the domain > Select "Launch Smuggle probe"

Wait for response(s) in the Issue's box.

Investigate Issues.

(4) LAB: HTTP request smuggling, basic CL.TE vulnerability (front-end server doesn't support chunked encoding

https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

This lab involves a front-end and back-end server, and the front-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method.

To solve the lab, smuggle a request to the back-end server so that the next request processed by the back-end server appears to use the method GPOST.

Looking at the results of the Smuggled Probe's

Right-Click inside the "Request" > Select "Send to Repeater"

Add "G" to the request, and select "Send," the first time you will see:

Submit the request again (selecting "Send"), and this time you will see the following error as a result.

The reason you see this error message is because the "G" from the previous request, was carried over into the next request (desync attack) which effectively tried to send the request below, and the server doesn't recognize GPOST as an HTTP method.

(5) Resources

As you're attempting to accomplish any type of attack, make sure you are fully aware of what the attack is doing. Please take the time to read over the following documentation and watch the video's explaining what is happening.

• https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

• https://portswigger.net/web-security/request-smuggling

• https://thehackernews.com/2020/08/http-request-smuggling.html

• https://portswigger.net/daily-swig/black-hat-2020-new-http-request-smuggling-variants-levied-against-modern-web-servers

• http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

• https://blog.detectify.com/2020/05/28/hiding-in-plain-sight-http-request-smuggling/

• https://searchsecurity.techtarget.com/tip/How-to-mitigate-an-HTTP-request-smuggling-vulnerability

• https://snyk.io/blog/demystifying-http-request-smuggling/

(6) Videos

• https://www.youtube.com/watch?v=w-eJM2Pc0KI

• https://www.youtube.com/watch?v=zP4b3pw94s0

• https://www.youtube.com/watch?v=_A04msdplXs

• https://www.youtube.com/watch?v=3tpnuzFLU8g

Whitepaper: https://portswigger.net/kb/papers/z7ow0oy8/http-desync-attacks.pdf