HTTP request smuggling, basic CL.TE vulnerability
To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method
GPOST.
According to HTTP/1 specification,the front-end can use two different headers to specify different message length . If methods conflict,the back-end prioritizes to use Transfer-Encoding.
Firstly,we sent the request to the repeater,and enable the Show non-printable chars so that we could know how to write the ending. Furthermore, we had to downgrade the HTTP protocol from 2 to 1 in Inspector.

Then we forged two methods in the request.
Content-Length: 6
Transfer-Encoding:chunked
Afterwards, we built chunk ending 0\r\n\r\n at two lines below,followed by payload G.
Sending in twice, we could notice a message "Unrecognized method GPOST" displayed on the second response,because the G we wrote down was prepended to the beginning of the second request.

HTTP request smuggling, basic TE.CL vulnerability
This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method.
To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method
GPOST.
Before starting, we need to understand the mechanism of HTTP RFC
A chunk is divided to three parts:
> hex number\r\n (refer to the byte length of chunk data without \r\n)
> content\r\n
> 0\r\n\r\n
Because the front-end uses Transfer-Encoding header, we have to forge a chunk in our request.
Content-Length: 3
Transfer-Encoding: chunked
3
uky
0
Note here's two numbers 3, they have different implications.
The first one in Content-Length refers to 3\r\n, the back-end which uses Content-Length method recognizes that it should be truncated before strings uky. The second one is used in chunk to specify the chars' size.
And then, the remaining payload will be saved into TCP buffer. When the next request is sent, uky0 will prepend to it.

