What is HTTP Request Smuggling?
HTTP Request Smuggling is very critical and high severity vulnerability and was initially discovered by watchfire back in 2005 and later it got re-discovered by James Kettle - (albinowax) in August 2019 and presented his research at DEF CON 27 & Black-HAT USA. HRS vulnerability allows an attacker to smuggle an ambiguous HTTP-request as second request in one single HTTP-request to bypass the security controls of a website and gain access to unauthorized sensitive data and performs malicious activities. To know more about this vulnerability I'll highly suggest referring James Kettle well-documented research blogs at Portswigger website.
How to detect HRS vulnerability?
Based on the earlier research the most common way to detect the HRS vulnerability is to check the application's response time, if the vulnerability exists then there will be a time delay in response. So there are two different ways to detect this vulnerability.
Detect (CL.TE) using time delay
To detect (CL.TE) vulnerability in an application you need to smuggle a request like below which causes a delay in response.
POST / HTTP/1.1
In the above HTTP request the front-end server uses Content-Length header which has a length of 5 which means it will only process the request body up to Z and it won't include Q in the first request and the back-end server uses Transfer-Encoding header which will process the first chunks of request and waits for the next chunks to arrive which causes a delay in response because as per the front-end server's content-length it processed only request body of length 5.
Detect (TE.CL) using time delay
To detect (TE.CL) vulnerability in an application you need to smuggle a request like below which causes a delay in response.
POST / HTTP/1.1
In the above HTTP request, the front-end server uses Transfer-Encoding header and in the request body, it sends 0 followed by which means in the first request it will terminate the request up to 0 and forwards the request and left remaining contents of the request body and the back-end server uses Content-Length header which has a length of 6 which waits for more contents to arrive which causes a delay in response.
HRS Detection Tool
By following the portswigger research academy I have developed a detection tool using python and by using the tool we can identify whether the application is vulnerable to (CL.TE) or (TE.CL) and to detect the vulnerability more accurately the tool has built-in payloads which has around 37 permutes and detection payloads for both (CL.TE) and (TE.CL) variants, the tool supports to scan one single URL or multiple URLs. And most importantly it has (--retry) option which means you can retry the same payload based on the retry value, which gives us an option to detect this vulnerability more accurately.
Needs to follow Security Consent before using this tool
It's quite important to know some of the legal disclaimers before scanning any of the targets, you should have proper authorization before scanning any of the targets otherwise I suggest do not use this tool to scan an unauthorized target because to detect the vulnerability it sends multiple payloads for multiple times by using (--retry) option which means if something goes wrong then there is a possibility that backend socket might get poisoned with the payloads and any genuine visitors of that particular website might end up seeing the poisoned payload rather seeing the actual content of the website. So I'll highly suggest taking proper precautions before scanning any of the target website otherwise you will face some legal issue.
How to use this tool?
To install this tool in your local machine you must have at least Python version 3.x otherwise socket will fail to established SSL connection with the target host.
git clone https://github.com/anshumanpattnaik/http-request-smuggling.git
pip3 install -r requirements.txt
usage: smuggle.py [-h] [-u URL] [-urls URLS] [-t TIMEOUT] [-m METHOD]
HTTP Request Smuggling vulnerability detection tool
-h, --help show this help message and exit
-u URL, --url URL set the target url
-urls URLS, --urls URLS set list of target urls, i.e (urls.txt)
-t TIMEOUT, --timeout TIMEOUT set socket timeout, default - 10
-m METHOD, --method METHOD set HTTP Methods, i.e (GET or POST), default - POST
-r RETRY, --retry RETRY set the retry count to re-execute the payload, default - 2
Example usage for using this tool
Scan one single Url
python3 smuggle.py -u [URL]
Scan list of Urls
python3 smuggle.py -urls [URLs.txt]
The detection payloads for both (CL.TE) and (TE.CL) are quite general and if you feel it requires to modify then you can update the payload in payloads.json file of detection array.
Time-based HRS detection logic is not always accurate and to confirm the vulnerability I can suggest you to play with burp-suite turbo intruder by using your payloads.
I hope you will find it useful my HRS Detection tool if you have any suggestion or find any issues then feel free to raise an issue in my Github repository.
Thank you for reading this post and Happy Hacking :)