Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀 th-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html Here are the timestamps for this video - ⏱ 00:00 - Intro 00:23 - Set up an Attack Request and a Normal Request 02:07 - Trigger a Differential Response 02:26 - Why we add a Request Header 03:29 - Try and smuggle a GET request for /admin 03:50 - Work around 'Admin Interface only for local users' 04:24 - Why we get a Duplicate Header names error 04:54 - How to fix the duplicate host header 05:37 - Why we need to set a Content-Length 06:30 - What is the minimum Content Length?
hey @tarekradwan8661, the backend follows the RFC, which states that if both the Content-Length header and Transfer-Encoding header are present, the Transfer-Encoding header should be given precedence. In our smuggled request we don't set a Transfer-Encoding header, so the backend is using Content-Length for the smuggled request.
Holy crap these labs are way harder than anything else on the academy. For someone who have never worked with request smuggling, these labs require some good amount of real-world practice and reading/studying before trying to solve them.
hey @kallikantzaros, yeah they're definitely a step up from some of the other topics! 😅 I found that watching James Kettle's talks and reading the white papers he wrote on the subject helped me a lot when I started learning about request smuggling.
If you do this, it will separate the smuggled request from the normal request, rather than putting the normal request in the body of the smuggled request? That is, here we will have 2 separate requests, one is a smuggled request, the other is a normal request.
so i write: Content-Type: application/x-www-form-urlencoded Content-Length: 114 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 2 0 its also okey
Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀
th-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html
Here are the timestamps for this video - ⏱
00:00 - Intro
00:23 - Set up an Attack Request and a Normal Request
02:07 - Trigger a Differential Response
02:26 - Why we add a Request Header
03:29 - Try and smuggle a GET request for /admin
03:50 - Work around 'Admin Interface only for local users'
04:24 - Why we get a Duplicate Header names error
04:54 - How to fix the duplicate host header
05:37 - Why we need to set a Content-Length
06:30 - What is the minimum Content Length?
why did we need "Content-Type: application/x-www-form-urlencoded" in the smuggled request?
But when you add the content-length to the smuggled request, shouldn't it be ignored because that request is in the backend which uses TE and not CL?
hey @tarekradwan8661, the backend follows the RFC, which states that if both the Content-Length header and Transfer-Encoding header are present, the Transfer-Encoding header should be given precedence.
In our smuggled request we don't set a Transfer-Encoding header, so the backend is using Content-Length for the smuggled request.
Holy crap these labs are way harder than anything else on the academy. For someone who have never worked with request smuggling, these labs require some good amount of real-world practice and reading/studying before trying to solve them.
hey @kallikantzaros, yeah they're definitely a step up from some of the other topics! 😅 I found that watching James Kettle's talks and reading the white papers he wrote on the subject helped me a lot when I started learning about request smuggling.
If you do this, it will separate the smuggled request from the normal request, rather than putting the normal request in the body of the smuggled request? That is, here we will have 2 separate requests, one is a smuggled request, the other is a normal request.
so i write:
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 2
0
its also okey
am sorrry,
i udstanded
at 7:00 it's trippy that we can send data in the body of the get request because if we try to do the same thing as a normal request it's denied
Ig the check is also only in the application layer. Is that normal?
You got one more subscriber. You deserve more
thank you @kamalsharma2839! That's very nice to hear ☺️
Love your explanation very helpful me to understand http reqeust smuggler. +sub
thanks a mil @ardiasx! glad it was helpful and thanks for the sub!