Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: HTTP request smuggling, basic TE.CL vulnerability

Adnanmig | Last updated: Aug 28, 2019 07:06PM UTC

Hi, When following the solution to this lab, the second request results in bad request error and not the expected result of the lab. I have tried it with Burp and curl with the same result. Not sure what I am missing? Can you please help? thanks.

Liam, PortSwigger Agent | Last updated: Aug 29, 2019 01:29PM UTC

The lab works in our testing. Have you tried resetting the lab?

Burp User | Last updated: Sep 01, 2019 04:20PM UTC

Yes, I have reset the lab multiple times but not getting the expected results.

Liam, PortSwigger Agent | Last updated: Sep 02, 2019 02:32PM UTC

The lab and solution work in our testings and other users have completed the lab. Keep trying.

Burp User | Last updated: Oct 29, 2019 01:34AM UTC

Hello Liam, Question. I am unable to submit the solution in the lab for this , and it keeps spamming back 400 bad Request and also 500 internal server error. i have even used the bAppStore plugin, is it becuase ... I have did the whole steps including the /r/n/r/n at the end of the request still no 404. please advise, if this is a lab error, or it no longer works. Im almost done and this is blocking completion. How do i reset lab as well? i have just been waiting for session time out, and log out and log back in. I can email you directly as i have some completion for some Request smuggling practioner exercises, but this one just doesnt seem to work. thank you

Ben, PortSwigger Agent | Last updated: Oct 29, 2019 10:44AM UTC

Hi Bob, Due to some recent changes in our lab infrastructure, the previously listed solution for the Request Smuggling labs may no longer be correct. While our development team is working on addressing this issue, the following workaround should allow you to progress through the labs as normal. Each request is now required to have a Host header in order to be successfully processed by the lab server (this also means that the lab user needs to work out the new offsets involved). This needs to be applied to any requests issued to the lab in order to bypass this new validation. Please let us know if you need any further assistance.

Ben, PortSwigger Agent | Last updated: Oct 29, 2019 01:39PM UTC

Hi Bob, Just to follow up on the previous message. The development team have been busy working on the Request Smuggling labs today and, to make things simpler for our Web Academy users, they have reverted the labs back to their original settings. This should mean that all of the labs are now solvable using the solutions provided. I have just tried the lab that you have been working on and have confirmed that it is now solvable using the original solution provided. Please try again and let us know if you are now able to successfully solve it. Apologies for the confusion that this may have caused you. Please let us know if you need any further assistance with anything else in the future.

mark | Last updated: Apr 14, 2020 07:12AM UTC

sorry to say but i am facing the same issue http/1.1 404 bad request error:Read timeout after 10000ms

mark | Last updated: Apr 14, 2020 07:13AM UTC

please let me know weather any extensions are the reason or and problem with code or server side

Uthman, PortSwigger Agent | Last updated: Apr 14, 2020 10:20AM UTC

Hi, I have just tested the lab and it works. Please see below: POST / HTTP/1.1 Host: <lab-ID>.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 For the host, try leaving out https://. The second time you submit this request in Repeater, you should see a 403 Forbidden response along with the "Unrecognized method GPOST" message. Refresh the lab and it will be marked as solved. Please give this a try and let me know how you get on.

mark | Last updated: Apr 14, 2020 11:06AM UTC

got it the error is solved

mark | Last updated: Apr 14, 2020 11:07AM UTC

enter twice after zero and the code executes

Franko | Last updated: Nov 17, 2020 02:08PM UTC

thanks entering twice "enter" after the 0 it solved the error

MrBelieVe | Last updated: Mar 22, 2021 05:55AM UTC

thanks entering twice "enter" after the 0 it solved the error. It works for me.

neville | Last updated: Oct 06, 2022 11:42AM UTC

Hi. I cannot solve this lab (HTTP request smuggling, basic TE.CL vulnerability), even when I use the exact solution provided including the two trailing \r\n. Has there been some changes to the lab since the solution was posted? Thanks. POST / HTTP/1.1 Host: 0a4200c60375b196c058f06300d100b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0

Ben, PortSwigger Agent | Last updated: Oct 06, 2022 04:06PM UTC

Hi Neville, The lab still works in exactly the same way as described in the solution - see the screenshot below for the request I issued twice in order to solve the lab earlier today: https://snipboard.io/O7BMJW.jpg If you are having issues with this are you able to provide us with a screenshot of the request that you are sending within Repeater so that we can visually see what this looks like?

0xbro | Last updated: Apr 02, 2023 02:55PM UTC

Hello all, I have a similar issue. I'm able to smuggle the second request, but it prepends the chunk length to the HTTP methods instead of ignoring it. The content length I used is the same as the example, but the server response is always "Unrecognized method 5CGPOST" Burpsuite version: 2022.12.7 (disabled the Update content length and used HTTP/1.1 as default) Below are the screens: https://imgur.com/R73lBZu https://imgur.com/IWnpjUp Any help would be appreciated (may have changed some default configurations in the latest versions of burp?)

0xbro | Last updated: Apr 02, 2023 02:56PM UTC

Below are the screens (updated links): https://i.imgur.com/R73lBZu.png https://i.imgur.com/IWnpjUp.png

Ben, PortSwigger Agent | Last updated: Apr 03, 2023 09:57AM UTC

Hi, It looks like you have spelt 'Length' incorrectly within the 'Content-Length' header in the chunked request (you have this as Content-Lenght).

0xbro | Last updated: Apr 03, 2023 11:56AM UTC

Lol, what a stupid mistake... thanks for the help and sorry for the waste of time.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.