search

TE.TE Vulnerabilities

hashtag
Overview

TE.TE vulnerabilities occur when:

  • Both front-end and back-end support Transfer-Encoding: chunked

  • But one system can be tricked into ignoring the TE header through obfuscation

  • The tricked system falls back to using Content-Length

This effectively creates a CL.TE or TE.CL scenario depending on which system is tricked.

hashtag
The Core Concept

Both systems support chunked encoding, but their implementations differ:

  • Some check for exact match: Transfer-Encoding: chunked

  • Some check for substring: looks for chunked anywhere in value

  • Some are strict about whitespace and formatting

  • Some are lenient and accept malformed headers

By exploiting these differences, we can make one system ignore the TE header.

hashtag
TE Header Obfuscation Techniques

Technique
Header
Description

Substring match

Transfer-Encoding: testchunked

Value contains "chunked" but isn't exact

Space in header name

Transfer-Encoding : chunked

Space before colon

Horizontal Tab

Transfer-Encoding:[\x09]chunked

Tab (0x09) instead of space

Vertical Tab

Transfer-Encoding:[\x0b]chunked

Vertical tab (0x0b) separator

Leading space

Transfer-Encoding: chunked

Space before header name

Newline obfuscation

Transfer-Encoding: chunked\r\n\r\n

Extra CRLF

Case variation

Transfer-encoding: chunked

Lowercase 'e'

Duplicate header

Two Transfer-Encoding headers

First vs last wins

Note: [\x09] = horizontal tab (ASCII 0x09), [\x0b] = vertical tab (ASCII 0x0b)

hashtag
Identification

hashtag
Step 1: Prepare Test Request

hashtag
Step 2: Apply Obfuscation

Try each obfuscation technique. Example with Horizontal Tab:

  1. Open request in Burp Repeater

  2. Switch to Hex view

  3. Find the space (0x20) between Transfer-Encoding: and chunked

  4. Change 0x20 to 0x09 (horizontal tab)

hashtag
Step 3: Send Twice Rapidly

  1. Send the obfuscated request

  2. Immediately send it again

  3. Check second response

hashtag
Confirmation

If second response returns HTTP 405 Method Not Allowed:

  • βœ… Obfuscation worked

  • βœ… One system ignored TE header

  • βœ… Vulnerable to TE.TE (effectively CL.TE)

hashtag
Testing All Obfuscation Methods

hashtag
Systematic Approach

Try each method until one works:

hashtag
Burp Suite Hex Editing

  1. In Repeater, click Hex tab at bottom

  2. Find the byte to modify

  3. Double-click and enter new hex value

  4. Switch back to Raw to verify

hashtag
Exploitation

hashtag
Scenario

Same as CL.TE - force admin to perform action.

hashtag
Exploit Request (Horizontal Tab Method)

Note: The tab character between : and chunked must be inserted via hex editor.

hashtag
Exploit Request (Vertical Tab Method)

Note: Vertical tab (0x0b) between : and chunked.

hashtag
Time-Sensitive Exploitation

hashtag
The Challenge

TE.TE exploits are often time-sensitive because:

  • Multiple worker threads

  • Connection pooling

  • Request must hit right after smuggled prefix

hashtag
Strategy

  1. Determine admin timing (e.g., admin visits every 10 seconds)

  2. Send requests periodically (about once per second)

  3. Continue until success (smuggled request catches admin's request)

hashtag
Practical Steps

hashtag
Burp Intruder for Timing

  1. Send request to Intruder

  2. Set Null payload type

  3. Configure to generate X requests

  4. Set throttle to 1000ms between requests

  5. Start attack

hashtag
Complete Attack Flow

hashtag
Differences from CL.TE

Aspect
CL.TE
TE.TE

Front-end TE support

❌ No

βœ… Yes (but tricked)

Requires obfuscation

❌ No

βœ… Yes

Complexity

Lower

Higher

Detection

Easier

Harder (need to find working obfuscation)

hashtag
Tips & Tricks

hashtag
Finding the Right Obfuscation

  • Start with common methods (tab, space, substring)

  • Test each systematically

  • Different setups need different obfuscations

  • Document what works for the target

hashtag
Hex Values Reference

hashtag
Common Server Behaviors

Server
Typical Behavior

Apache

Often strict

Nginx

Usually strict

Gunicorn

May be lenient

HAProxy

Depends on config

AWS ALB

Usually strict

hashtag
Persistence is Key

  • Multiple attempts often needed

  • Timing varies

  • Keep trying different obfuscations

  • Log successful techniques

hashtag
Lab Walkthrough Summary

  1. Identify admin action endpoint (e.g., /admin?reveal_flag=1)

  2. Test for TE.TE using obfuscation + double-send technique

  3. Find working obfuscation (e.g., vertical tab separator)

  4. Craft exploit with smuggled admin request

  5. Send periodically (every ~1 second for 10+ seconds)

  6. Verify action was performed (check admin page)

hashtag
References

PreviousTE.CL VulnerabilitiesNextVulnerable Software

Last updated