mirror of
https://github.com/0x5t4l1n/hunting.git
synced 2026-05-26 19:36:33 +00:00
copilot-swe-agent[bot]
68b76036df
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
42 lines
1.3 KiB
Markdown
42 lines
1.3 KiB
Markdown
# HTTP Request Smuggling
|
|
|
|
## Description
|
|
HTTP Request Smuggling occurs when the front-end and back-end servers disagree about where one request ends and the next begins. This vulnerability allows attackers to bypass security controls, gain unauthorized access, and poison web caches.
|
|
|
|
## Vulnerability Types
|
|
- **CL.TE** - Content-Length vs Transfer-Encoding
|
|
- **TE.CL** - Transfer-Encoding vs Content-Length
|
|
- **TE.TE** - Transfer-Encoding obfuscation
|
|
- **CL.CL** - Duplicate Content-Length headers
|
|
|
|
## Common Attack Vectors
|
|
- Front-end/Back-end server desynchronization
|
|
- Load balancer misconfigurations
|
|
- Reverse proxy issues
|
|
- CDN edge servers
|
|
- WAF bypass
|
|
|
|
## Impact
|
|
- Bypass security controls
|
|
- Web cache poisoning
|
|
- Cross-site scripting
|
|
- Request hijacking
|
|
- Credential theft
|
|
- Access other users' requests
|
|
|
|
## Testing Approach
|
|
1. Send requests with conflicting Content-Length and Transfer-Encoding headers
|
|
2. Observe timing differences and response variations
|
|
3. Test with different header obfuscation techniques
|
|
4. Verify if smuggled requests affect subsequent requests
|
|
|
|
## Common Vulnerable Configurations
|
|
- HAProxy + Apache
|
|
- Nginx + Apache
|
|
- AWS ALB + various backends
|
|
- Akamai + various backends
|
|
- Cloudflare + various backends
|
|
|
|
## Payloads
|
|
See `http-request-smuggling-payloads.txt` for a comprehensive list of HTTP Request Smuggling payloads.
|