ukysblog
首页项目归档刷题记录照片墙音乐说说杂谈友链关于
封面

portswigger-request smuggling theme

PRACTICE
2026-06-15
# portswigger
# 渗透

HTTP request smuggling, basic CL.TE vulnerability

To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.

According to HTTP/1 specification,the front-end can use two different headers to specify different message length . If methods conflict,the back-end prioritizes to use Transfer-Encoding.

Firstly,we sent the request to the repeater,and enable the Show non-printable chars so that we could know how to write the ending. Furthermore, we had to downgrade the HTTP protocol from 2 to 1 in Inspector.

Snipaste_2026-06-15_20-55-34.png

Then we forged two methods in the request.

Content-Length: 6
Transfer-Encoding:chunked

Afterwards, we built chunk ending 0\r\n\r\n at two lines below,followed by payload G.

Sending in twice, we could notice a message "Unrecognized method GPOST" displayed on the second response,because the G we wrote down was prepended to the beginning of the second request.

Snipaste_2026-06-15_21-08-45.png

HTTP request smuggling, basic TE.CL vulnerability

This lab involves a front-end and back-end server, and the back-end server doesn't support chunked encoding. The front-end server rejects requests that aren't using the GET or POST method.

To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST.

Before starting, we need to understand the mechanism of HTTP RFC

A chunk is divided to three parts:

> hex number\r\n (refer to the byte length of chunk data without \r\n)
> content\r\n
> 0\r\n\r\n

Because the front-end uses Transfer-Encoding header, we have to forge a chunk in our request.

Content-Length: 3
Transfer-Encoding: chunked

3
uky
0


Note here's two numbers 3, they have different implications.

The first one in Content-Length refers to 3\r\n, the back-end which uses Content-Length method recognizes that it should be truncated before strings uky. The second one is used in chunk to specify the chars' size.

And then, the remaining payload will be saved into TCP buffer. When the next request is sent, uky0 will prepend to it.

Snipaste_2026-06-15_22-35-32.png

avatar

uky

后端安全方向,ctf-web手

PRACTICE

2025ISCTFwp

2025-12-11

2026SHCTFwp

2026-01-28

portswigger-Nosqli专题

2026-05-20

Table of Contents