search

TE.CL Vulnerabilities

hashtag
Overview

TE.CL vulnerabilities occur when:

  • Front-end (Reverse Proxy/WAF): Uses Transfer-Encoding: chunked

  • Back-end (Web Server): Uses Content-Length

This creates an opportunity to bypass WAFs and other security controls.

hashtag
Burp Suite Configuration

hashtag
⚠️ Critical Setup Required

Before testing TE.CL, configure Burp Repeater:

hashtag
1. Disable Auto Content-Length Update

  1. In Repeater, click Settings icon (βš™οΈ) next to Send button

  2. Uncheck "Update Content-Length"

[Settings Icon] β†’ ☐ Update Content-Length

hashtag
2. Create Tab Group for Sequential Requests

  1. Right-click request tab β†’ Add tab to group β†’ Create tab group

  2. Add both test requests to the group

  3. Click arrow next to Send β†’ Send group in sequence (single connection)

This sends all requests via the same TCP connection - essential for TE.CL exploitation.

hashtag
Foundation

hashtag
The Core Concept

Consider this request:

hashtag
Front-end Perspective (Uses TE)

The front-end parses chunked encoding:

Result: Complete request, forwards all bytes to back-end.

hashtag
Back-end Perspective (Uses CL)

The back-end sees Content-Length: 3 and parses:

Leftover in TCP buffer:

These bytes become the beginning of the next request.

hashtag
Attack Scenario

hashtag
Step 1: Attacker Sends Smuggling Request

hashtag
Step 2: Victim/Probe Request

hashtag
TCP Stream Analysis

Front-end view (splits by chunked encoding):

Back-end view (splits by Content-Length):

hashtag
Result

The back-end receives invalid request starting with HELLO β†’ 400 Bad Request

hashtag
Identification

hashtag
Test Requests

Request 1 (Tab 1 - Smuggling):

Request 2 (Tab 2 - Probe):

hashtag
Testing Procedure

  1. Create tab group with both requests

  2. Disable "Update Content-Length"

  3. Select "Send group in sequence (single connection)"

  4. Click Send

hashtag
Confirmation

Request 1 Response: Normal (200 OK or expected response)

Request 2 Response:

If Request 2 shows this error β†’ Vulnerable to TE.CL

hashtag
WAF Bypass Exploitation

hashtag
Scenario

  • WAF blocks requests containing /admin in URL

  • Goal: Access /admin panel

hashtag
The Bypass Technique

Send requests that WAF sees as benign, but back-end interprets differently.

hashtag
Exploit Requests

Request 1 (Smuggling):

Request 2 (Trigger):

hashtag
Chunk Size Calculation

The chunk size 27 (hex) = 39 (decimal) bytes:

hashtag
TCP Stream Analysis

hashtag
WAF View (Uses TE)

WAF sees: Two requests to /404 β†’ No blocking (no /admin in URLs)

hashtag
Back-end View (Uses CL)

Back-end sees:

  1. GET /404 β†’ 404 response

  2. GET /admin β†’ Admin panel! βœ…

  3. Invalid request β†’ error

hashtag
Response Mapping

Request Sent
WAF Sees
Back-end Processes
Response Received

Request 1

GET /404

GET /404

404 Not Found

Request 2

GET /404

GET /admin

200 OK (Admin!)

The response to Request 2 contains the admin panel content!

hashtag
Calculating Chunk Size

hashtag
Method: Character Count

  1. Write the smuggled request (without chunk size line)

  2. Count all characters including \r\n

  3. Convert decimal to hexadecimal

hashtag
Example

Counting:

Total: 42 bytes = 0x2a in hex

hashtag
Quick Method in Burp

  1. Highlight the smuggled request text

  2. Check character count at bottom of Burp

  3. Use calculator: decimal β†’ hex

hashtag
Complete Attack Flow Diagram

hashtag
TE.TE to TE.CL Conversion

Sometimes you need to obfuscate TE header to create TE.CL scenario:

hashtag
Using Substring Match

The asdchunked obfuscation:

  • Front-end: May still parse as chunked (substring match)

  • Back-end: Ignores invalid TE, uses CL

hashtag
Server Logs Evidence

When exploitation succeeds, back-end logs show:

Three requests logged, but only two were "sent".

hashtag
Tips & Tricks

hashtag
Content-Length Values

CL Value
Includes

3

5\r\n (chunk size + CRLF)

4

27\r\n (two-digit chunk + CRLF)

hashtag
Common Pitfalls

  1. ❌ Forgetting to disable "Update Content-Length"

  2. ❌ Not using single connection for requests

  3. ❌ Wrong chunk size calculation

  4. ❌ Missing trailing \r\n after smuggled request

hashtag
Verification

Check if responses are swapped:

  • Request 1 gets Request 2's expected response

  • Request 2 gets smuggled request's response

hashtag
Differences from CL.TE

Aspect
CL.TE
TE.CL

Front-end uses

Content-Length

Transfer-Encoding

Back-end uses

Transfer-Encoding

Content-Length

Smuggled data location

After empty chunk

In chunk body

CL header manipulation

Set to include smuggled

Set to exclude smuggled

Common use case

Force user actions

WAF bypass

hashtag
Lab Walkthrough Summary

  1. Identify blocked endpoint (e.g., /admin returns "Unauthorized")

  2. Configure Burp: Disable auto CL, create tab group

  3. Test for TE.CL using POST + GET technique

  4. Calculate chunk size for smuggled request

  5. Craft two GET /404 requests with smuggled /admin

  6. Send in sequence via single connection

  7. Check Response 2 for admin panel content

hashtag
References

PreviousCL.TE VulnerabilitiesNextTE.TE Vulnerabilities

Last updated