Self Notes: Web Security Academy HTTP Request Smuggling Lab 5

Lab 5 can be found here.
In this Lab, we need to confirm TE-CL vulnerability via differential response, provided with a Front-end Back-end server pair where the Back-end server does not support Transfer-Encoding, the tasks is to poison the Back-end server so that when a normal request is made to the Back-end server a 404 Not Found is obtained. Since this lab is similar to the previous one I will go straight to exploitation, the poisoned request:


Considering it has already been made clear that the Front-end Back-end server pair is TE-CL, the request uses a payload such that the content length read by the Back-end server is just 5, this is why we get a response of "Bad Request 'Missing Parameter'", the rest of the request body is left to poison the Back-end server. A subsequent request to the web-root or any directory at all results in the following:


Lab 5 Solved.


Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued