TE.TE Vulnerabilities
Overview
TE.TE vulnerabilities occur when:
Both front-end and back-end support
Transfer-Encoding: chunkedBut one system can be tricked into ignoring the TE header through obfuscation
The tricked system falls back to using
Content-Length
This effectively creates a CL.TE or TE.CL scenario depending on which system is tricked.
The Core Concept
Both systems support chunked encoding, but their implementations differ:
Some check for exact match:
Transfer-Encoding: chunkedSome check for substring: looks for
chunkedanywhere in valueSome are strict about whitespace and formatting
Some are lenient and accept malformed headers
By exploiting these differences, we can make one system ignore the TE header.
TE Header Obfuscation Techniques
Substring match
Transfer-Encoding: testchunked
Value contains "chunked" but isn't exact
Space in header name
Transfer-Encoding : chunked
Space before colon
Horizontal Tab
Transfer-Encoding:[\x09]chunked
Tab (0x09) instead of space
Vertical Tab
Transfer-Encoding:[\x0b]chunked
Vertical tab (0x0b) separator
Leading space
Transfer-Encoding: chunked
Space before header name
Newline obfuscation
Transfer-Encoding: chunked\r\n\r\n
Extra CRLF
Case variation
Transfer-encoding: chunked
Lowercase 'e'
Duplicate header
Two Transfer-Encoding headers
First vs last wins
Note:
[\x09]= horizontal tab (ASCII 0x09),[\x0b]= vertical tab (ASCII 0x0b)
Identification
Step 1: Prepare Test Request
Step 2: Apply Obfuscation
Try each obfuscation technique. Example with Horizontal Tab:
Open request in Burp Repeater
Switch to Hex view
Find the space (0x20) between
Transfer-Encoding:andchunkedChange
0x20to0x09(horizontal tab)
Step 3: Send Twice Rapidly
Send the obfuscated request
Immediately send it again
Check second response
Confirmation
If second response returns HTTP 405 Method Not Allowed:
β Obfuscation worked
β One system ignored TE header
β Vulnerable to TE.TE (effectively CL.TE)
Testing All Obfuscation Methods
Systematic Approach
Try each method until one works:
Burp Suite Hex Editing
In Repeater, click Hex tab at bottom
Find the byte to modify
Double-click and enter new hex value
Switch back to Raw to verify
Exploitation
Scenario
Same as CL.TE - force admin to perform action.
Exploit Request (Horizontal Tab Method)
Note: The tab character between
:andchunkedmust be inserted via hex editor.
Exploit Request (Vertical Tab Method)
Note: Vertical tab (0x0b) between
:andchunked.
Time-Sensitive Exploitation
The Challenge
TE.TE exploits are often time-sensitive because:
Multiple worker threads
Connection pooling
Request must hit right after smuggled prefix
Strategy
Determine admin timing (e.g., admin visits every 10 seconds)
Send requests periodically (about once per second)
Continue until success (smuggled request catches admin's request)
Practical Steps
Burp Intruder for Timing
Send request to Intruder
Set Null payload type
Configure to generate X requests
Set throttle to 1000ms between requests
Start attack
Complete Attack Flow
Differences from CL.TE
Front-end TE support
β No
β Yes (but tricked)
Requires obfuscation
β No
β Yes
Complexity
Lower
Higher
Detection
Easier
Harder (need to find working obfuscation)
Tips & Tricks
Finding the Right Obfuscation
Start with common methods (tab, space, substring)
Test each systematically
Different setups need different obfuscations
Document what works for the target
Hex Values Reference
Common Server Behaviors
Apache
Often strict
Nginx
Usually strict
Gunicorn
May be lenient
HAProxy
Depends on config
AWS ALB
Usually strict
Persistence is Key
Multiple attempts often needed
Timing varies
Keep trying different obfuscations
Log successful techniques
Lab Walkthrough Summary
Identify admin action endpoint (e.g.,
/admin?reveal_flag=1)Test for TE.TE using obfuscation + double-send technique
Find working obfuscation (e.g., vertical tab separator)
Craft exploit with smuggled admin request
Send periodically (every ~1 second for 10+ seconds)
Verify action was performed (check admin page)
References
Last updated