Add Lab: HTTP request smuggling, basic CL.TE vulnerability

21_HTTP_request_smuggling/HTTP_request_smuggling,_basic_CL.TE_vulnerability/Diagram.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2022-10-22T12:38:48.163Z" agent="5.0 (Windows)" etag="hmRvzqo6q1kvtMtSXBpN" version="20.5.1"><diagram id="BEy5XwOoqincAIX5F3AM" name="Page-1">7VnLdtowEP0aL8PxCwPL8GoWaZtzSFu6VOzBdiMsImQe/fpKtoTxg0CIIXAaNkij0Ui6czUzAs3qTVdfKJoFX4kHWDN1b6VZfc00DaNj8C8hWaeSlmmnAp+GnlTKBKPwL0ihLqVx6ME8p8gIwSyc5YUuiSJwWU6GKCXLvNqE4PyqM+RDSTByES5Lf4UeC1Jpu6ln8jsI/UCtbOhy5Am5zz4lcSTX00xrmHzS4SlStqT+PEAeWW4tag00q0cJYWlruuoBFtgq2NJ5wx2jm31TiNhBE2Dd+/Zy+yMOWvpgFMOM/mQ3hpmaWSAcgzqHg7nBrhcuBMQ49KNkwHmJxVa7NAFj0+UtX3wPQzrnYp3CSwyilVp5okpBSfgOE9NKmmDD1sofCaIg9qzz4WUQMhjNkCtGl5yBXBawKeY9gzcnIcY9ggnl/YhEXKmrNpxuUy2wDZNEbgGUwaroD85zIFNgdM1V1KgtXSgpbiiXLjPCOIrPwTZZHEVUSVJ/YztzFG9IX73Bb60KtxWABI/zXHYJZQHxSYTwIJN281BnOveEzCTAf4Cxtby0KGYkD/9ObOckpi68sn+5XYaoD+wVPSfVE2d51VMUMGLhIn+na0f97ZcFw6Tirjx8Hz1qgkQ8Vuh3j48PvGU0jF035JgltGa30WhozX6dRnskYtzVN/cQ+YL4t3yuU77pjxRF8wnQm0HkEi+M/FTTDeLomdNtZ2TIJPohSuPzxBgFTgJJPfHEKcQTW280SxHFaFVFFBV6aue2URVSjsoEI+C52vs/UoGlTOxNBXbnVEHJKAF3htDPIaTrsZyfdH6LDuex7PZX24P9tewdnzKaB6YMw7ionNH8zBmfOaP+nGHZ5Rr0zBnDuWJmn4l4l80pWy/UIc7BdUj7ZGVIu8Sqe35gwk/FpWQinvjFl+b1lQ0b/PaVDfbJnjJ6xe29phdk+zrLgTK9j4to4+sMMWanIm2ZFcQ/3TvHqMsDn3nrQkhlOQfWQqfLWuUqf0h54XsD4iFcV37yYIJifKKCsiIjVWJ4uotZrie7yH2+YAiLPPxwCFUO/+CkfuxvA7AK2VjZ4O2tWbyXTRKd9/+eYB5YQLTrrh/k1AcSRiwjk1UsEfWCifRAclZGlJIh29hjKD1xyVDCuM153kFCez8J31uizxklz1AQ1hEUrTx2raoHkWNVFep6R6m+4VprIk2oPwBTB2T/slqDfw==</diagram></mxfile>

21_HTTP_request_smuggling/HTTP_request_smuggling,_basic_CL.TE_vulnerability/README.md

@@ -0,0 +1,83 @@
+# Write-up: HTTP request smuggling, basic CL.TE vulnerability @ PortSwigger Academy
+
+![logo](img/logo.png)
+
+This write-up for the lab *HTTP request smuggling, basic CL.TE vulnerability* is part of my walk-through series for [PortSwigger's Web Security Academy](https://portswigger.net/web-security).
+
+**Learning path**: Advanced topics → HTTP request smuggling
+
+Lab-Link: <https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te>  
+Difficulty: PRACTITIONER  
+Currently no python script
+
+## Lab description
+
+![Lab description](img/lab_description.png)
+
+## Steps
+
+Usually, the first step is to analyze the functionality of the lab application, which is a blog application. In this case, however, the vulnerability lies in the server itself.
+
+---
+
+### The theory
+
+According to the lab description, the lab contains multiple servers that disagree on how HTTP requests are parsed.
+
+While the front-end server only allows `GET` and `POST` requests, the back-end server supports a custom `GPOST` verb.
+
+The first attempt is to find out whether the two servers agree on the interpretation of the headers `Content-Length` and `Transfer-Encoding`. By definition, the `Transfer-Encoding` shall take precedence if both headers are present.
+
+If I can craft a request that the front-end server interprets as two different requests, then it will send two different requests to the back-end server.
+
+---
+
+### Trying things out
+
+I send one of the requests to Burp Repeater. A `GET` request can not contain body data, so I change the verb to `POST`.
+
+The first test is to check whether the front-end server uses `Content-Length` while the back-end server uses `Transfer-Encoding`.
+
+For this, I need to prevent Burp to update the `Content-Length` header automatically for me:
+
+![Deactivate content length recalculation](img/deactive_content_length_update.png)
+
+I can now craft a request that contains inconsistent information. If the servers are vulnerable to this type of attack, then the front-end server will terminate the request after the `A` based on the value of `Content-Length`.
+
+After the back-end server receives the request, it will wait for additional chunks, causing a delay. Sure enough, I receive a timeout after sending the request:
+
+![](img/getting_timeout.png)
+
+In this test, the front-end server cut a message short while the back-end server waited for the remaining content.
+
+I can reverse this by causing the front-end server to send more content than the back-end server expects. The additional characters will then be prepended to the next request.
+
+For the next request, I reactivate the automatic recalculation of `Content-Length`. I need to send the request twice, the first will result in the normal response while the second might reveal what the back-end server ends up receiving:
+
+![](img/smuggled_character_request_1.png)
+
+![](img/smuggled_character_request_2.png)
+
+The second response proves that the `X` that was embedded in the first request got prepended to the second request, forming an invalid `XPOST` request:
+
+![](img/diagram.png)
+
+---
+
+### The malicious payload
+
+Now I know that I can send requests that result in arbitrary characters added to the beginning of the next request. For this lab, I need to send a `GPOST` request so I have to perform just a minor alteration to my test request. Again, I have to send the request twice:
+
+![](img/sending_gpost_request.png)
+
+At that moment, the lab updates to  
+
+![Lab solved](img/success.png)
+
+---
+
+### Another way
+
+I can also smuggle a complete second request. In the body, I terminate the message with a zero-length chunk as above and follow up with a `GPOST` request. After sending it twice, I receive the `GPOST` method error again:
+
+![](img/smuggle_second_request.png)