Member-only story
Leveraging Burp Suite extension for finding HTTP Request Smuggling.
HTTP Request Smuggling is often left behind in bug bounty findings. But with the right extension, you can automate the task of finding HTTP request smuggling in your next bug bounty program.
Understanding HTTP Request Smuggling
Modern websites often deploy multiple proxy servers to forward the user request to the actual server which hosts the web application. These front-end or proxy servers with the actual back-end server are most common architecture in cloud applications.
The front-end server gets the requests from multiple users and forwards them to the back-end servers. These two servers must agree on the boundaries between the two different user requests. Sometimes these servers do not agree on the boundaries and an attacker can exploit this by modifying the HTTP request to cause HTTP Request Smuggling.
when front-end and back-end server does not agree on the boundary between user requests, HTTP Request Smuggling arises.
Boundaries (i.e) the end of the HTTP Request is defined by the “Content-Length” or “Transfer-Encoding” HTTP header. Some servers do not support “Transfer-Encoding” and some servers take the “Content-Length” header as the default one if both are present in the request. If the front-end and back-end servers of the application are not configured properly, they will take different boundary values, leading to a request smuggling vulnerability.
HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Content-Length: 4A Sample request with both header present.
An attacker can include both the headers with different values for a boundary in the HTTP request. If the front-end server accepts the “Transfer-Encoding” while the back-end server accepts the “Content-Length” header, it will lead to contamination in the request processing as the boundary value is different in each header. This can also happen vice-versa, where the front-end server accepts “Content-length” and the back-end server accepts “Transfer-Encoding”. The former is called TE.CL and the latter is CL.TE HTTP request smuggling vulnerability.
