request-smuggling – Page 3 – WindowsTechs.com

why the website cant understand my request in http smuggling?

Posted on February 4, 2021 by eyal

hi I started to find bug bounty vulnerabilities and i think i found a te.cl vulnerability in a website.
i send
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: subdomain.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple… Continue reading why the website cant understand my request in http smuggling?→

Nessus Plugin "HTTP Smuggling Detection" failing due to support for http/1.1 – how to overcome?

Posted on September 25, 2020 by B Robster

A new Nessus plugin (140735 – HTTP Smuggling Detection) was very recently incorporated into Tenable’s PCI template and is now beeing flagged as a "medium" vulnerability and causing scans to fail.
The only info in the scan report … Continue reading Nessus Plugin "HTTP Smuggling Detection" failing due to support for http/1.1 – how to overcome?→

HTTP Request Smuggling Checking for Desync Type

Posted on September 22, 2020 by Emanuel Beni

I am currently trying to learn HTTP Request Smuggling. In a presentation give by @defparam (https://www.youtube.com/watch?v=3tpnuzFLU8g), he mentioned that HTTP Request Smuggling/Desync can be classified into 3 categorization; Open Desync,… Continue reading HTTP Request Smuggling Checking for Desync Type→

HTTP Request Smuggling Checking for Desync Type

Posted on September 22, 2020 by Emanuel Beni

HTTP Request Smuggling Basics

Posted on September 16, 2020 by Emanuel Beni

I am currently trying to learn HTTP Request Smuggling vulnerability to further enhance my pen testing skills. I have watched a couple of videos on Youtube and read articles online regarding it but still have a couple of questions in mind:
… Continue reading HTTP Request Smuggling Basics→

Force Apache Server/Tomcat to ignore Transfer-Encoding

Posted on July 3, 2020 by Druckles

I am trying to reproduce HTTP request smuggling using an Apache HTTP Server as a reverse proxy (using mod_proxy) and a Tomcat Server in the back-end.
Is it possible to force either Apache Server or Tomcat to ignore Transfer-Encoding in req… Continue reading Force Apache Server/Tomcat to ignore Transfer-Encoding→

Python Script POST Body Containing CRLF Characters and Malformed Headers. HTTP Request Smuggling

Posted on May 22, 2020 by RespectableMan1337

Lately I have been attempting Portswiggers WebSecAcademy’s HTTP request smuggling labs with the additional challenge of writing a python script to complete the challenge for me.

Intended solution from Burp Repeater:

POST / HTTP/1.1
Host:… Continue reading Python Script POST Body Containing CRLF Characters and Malformed Headers. HTTP Request Smuggling→

Is this an example of HTTP request smuggling?

Posted on May 14, 2020 by Jordan Baron

I believe I found an HTTP smuggling vulnerability but I’m not sure. When I send a request like this

POST /test HTTP/1.1
Host: www.example.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintos… Continue reading Is this an example of HTTP request smuggling?→

What does "connection" mean in context of request smuggling

Posted on March 14, 2020 by Ram Rachum

I recently read about request smuggling. This is a very interesting attack that I didn’t know about. A vulnerability to this was recently discovered at Slack, disclosed responsibly and a bounty was awarded.

The linked article says:

Wh… Continue reading What does "connection" mean in context of request smuggling→