CL.TE Vulnerabilities
Overview
CL.TE vulnerabilities occur when:
Front-end (Reverse Proxy): Does NOT support chunked encoding β uses
Content-LengthBack-end (Web Server): Correctly uses
Transfer-Encoding(per RFC)
This discrepancy allows attackers to smuggle requests through the front-end.
Foundation
The Core Concept
Consider this malicious request:
POST / HTTP/1.1
Host: clte.htb
Content-Length: 10
Transfer-Encoding: chunked
0
HELLOFront-end Perspective (Uses CL)
The front-end sees Content-Length: 10 and parses:
Result: All 10 bytes consumed, request forwarded to back-end.
Back-end Perspective (Uses TE)
The back-end prefers Transfer-Encoding: chunked and sees:
The 0 chunk terminates the body. The bytes HELLO remain unconsumed in the TCP stream.
The Desync
The leftover HELLO becomes the beginning of the next request.
Attack Scenario
Step 1: Attacker Sends Smuggling Request
Step 2: Victim Sends Normal Request
TCP Stream Analysis
Front-end view (splits by Content-Length):
Back-end view (splits by chunked encoding):
Result
The victim receives HTTP 405 Method Not Allowed because HELLOGET is not a valid HTTP method.
Identification
Test Requests
Request 1 (Smuggling request):
Request 2 (Probe request):
Testing Procedure
Open two tabs in Burp Repeater
Send Request 1 (smuggling request)
Immediately send Request 2 (probe request)
Observe response to Request 2
Confirmation
If Request 2 returns HTTP 405 Not Allowed instead of HTTP 200, the target is vulnerable to CL.TE.
Exploitation
Goal: Force Admin to Perform Action
Assume we want to force admin to access /admin.php?promote_uid=2
Crafted Smuggling Request
Note: The
Dummy:header "absorbs" the first line of the victim's request as a header value.
What Happens
Admin sends normal request:
Front-end TCP stream view:
Back-end TCP stream view:
Result
The back-end sees:
Our harmless POST to
/Admin's authenticated request to
/admin.php?promote_uid=2
The admin unknowingly promotes our user!
Content-Length Calculation
Important: Calculate CL Accurately
The Content-Length must include:
Counting Bytes
0
1
\r\n
2
\r\n
2
POST /admin.php?promote_uid=2 HTTP/1.1
38
\r\n
2
Dummy:
7
Total
52
Practical Example: Reveal Flag
Scenario
Admin area at
/admin.phpAction:
/admin.php?reveal_flag=1Only admin can reveal the flag
Smuggling Request
Content-Length Breakdown
Execution
Send the smuggling request
Wait ~10 seconds for admin to visit the site
Admin's request gets transformed:
Admin intended:
Back-end receives:
Check
/admin.php- flag should be revealed!
Tips & Tricks
Timing is Critical
Requests share TCP connection
Send probe immediately after smuggling request
In exploitation, wait for victim's request
Header Absorption Technique
Use dummy headers to absorb victim's request line:
The victim's GET / HTTP/1.1 becomes a header value.
Burp Suite Settings
Disable "Update Content-Length" in Repeater
Use
\r\n(CRLF) line endingsCheck "Normalize HTTP/1 line endings" is OFF
Common Indicators
405 Method Not Allowed
Smuggled prefix corrupted method
400 Bad Request
Malformed smuggled request
Timeout
Request waiting for more data
Different response
Successfully influenced request
Diagram: CL.TE Attack Flow
References
Last updated