search

Vulnerable Software

hashtag
Overview

Request smuggling doesn't only arise from CL/TE parsing differences. Software-specific bugs can also cause incorrect request length parsing, leading to desynchronization.

This section covers vulnerabilities in specific software implementations that enable request smuggling attacks.

hashtag
Gunicorn 20.0.4 - Sec-Websocket-Key1 Bug

hashtag
Vulnerability Details

Property
Value

Software

Gunicorn (Python WSGI HTTP Server)

Affected Version

20.0.4

Bug

Sec-Websocket-Key1 header truncates body to 8 bytes

Impact

Request smuggling, WAF bypass

hashtag
The Bug

When Gunicorn 20.0.4 encounters the Sec-Websocket-Key1 HTTP header:

  • It ignores the Content-Length header

  • It ignores the Transfer-Encoding header

  • It forces request body length to exactly 8 bytes

This is a legacy WebSocket handshake header that triggers buggy behavior.

hashtag
Why It's Exploitable

This creates desynchronization even when both systems "support" proper header parsing.

hashtag
Identification

hashtag
Detection Request

Request 1 (Smuggling):

Note: xxxxxxxx = exactly 8 characters (padding for Gunicorn's forced body length)

Request 2 (Probe):

hashtag
Testing Procedure

  1. Create tab group in Burp Repeater

  2. Send both requests via single connection

  3. Observe responses

hashtag
Expected Results

Request
Expected Path
Actual Response

Request 1

GET /

200 OK (index page)

Request 2

GET /

404 Not Found ← Smuggled!

If Request 2 returns 404 instead of 200, the smuggled /404 request was processed.

hashtag
TCP Stream Analysis

hashtag
Reverse Proxy View

Proxy sees: Two GET requests to /

hashtag
Gunicorn View (Buggy)

Gunicorn sees: Three requests - including smuggled /404!

hashtag
Exploitation - WAF Bypass

hashtag
Scenario

  • WAF blocks requests with admin in URL

  • Goal: Access /admin panel

hashtag
Exploit Requests

Request 1 (Smuggling):

Request 2 (Trigger):

hashtag
Content-Length Calculation

Adjust CL to match your target hostname.

hashtag
Attack Flow

hashtag
Server Detection

hashtag
Identifying Gunicorn

Check response headers:

hashtag
Version Check

The vulnerability affects Gunicorn 20.0.4 specifically.

hashtag
The 8-Byte Padding

hashtag
Why xxxxxxxx?

The Sec-Websocket-Key1 bug forces exactly 8 bytes for the body:

You can use any 8 characters:

  • xxxxxxxx

  • AAAAAAAA

  • 12345678

  • (8 spaces)

hashtag
Calculation Template

hashtag
Other Vulnerable Software

hashtag
Known Request Smuggling CVEs

Software
CVE
Description

Gunicorn 20.0.4

-

Sec-Websocket-Key1 bug

HAProxy

CVE-2021-40346

Integer overflow in content-length

Apache

CVE-2022-22720

Request splitting

Node.js

CVE-2022-32215

HTTP Request Smuggling

Nginx

Various

Chunked encoding edge cases

hashtag
Research Resources

hashtag
Tips & Tricks

hashtag
Testing Multiple Versions

When targeting unknown infrastructure:

  1. Identify server software from headers

  2. Research known smuggling bugs

  3. Test version-specific payloads

hashtag
Burp Configuration

Same as TE.CL:

  1. Disable "Update Content-Length"

  2. Create tab group

  3. Send in sequence (single connection)

hashtag
Fallback Strategy

If CL/TE techniques fail:

  • Check for software-specific bugs

  • Test unusual headers

  • Research CVEs for identified software

hashtag
Lab Walkthrough Summary

  1. Identify server: Server: gunicorn/20.0.4

  2. Confirm WAF blocks /admin

  3. Test Sec-Websocket-Key1 bug with /404 smuggle

  4. Verify Request 2 returns 404 (smuggled request processed)

  5. Exploit by smuggling GET /admin instead

  6. Access admin panel via Response 2

hashtag
References

PreviousTE.TE VulnerabilitiesNextExploitation Techniques

Last updated