Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Evan | Last updated: Oct 17, 2019 08:25PM UTC

Lab doesn't seem to be working for me, even when I follow the solution. Getting timeout errors. This is what I'm trying to use, host url is correct, target is correct, update content length is not checkmarked, and keey getting time out error after 10000ms. Having similar issues in other labs of this category. POST / HTTP/1.1 Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0

Ben, PortSwigger Agent | Last updated: Oct 18, 2019 07:07AM UTC

Hi, I have just worked through this lab and was able to solve it using the instructions provided. Have you added two carriage returns (pressing the Enter key twice) after the final 0 in the request that you have created in Burp Repeater? This is specified in the solution but some people do miss it.

Ben, PortSwigger Agent | Last updated: Oct 18, 2019 01:36PM UTC

Hi Evan, I am glad that you were able to solve your issue. Please let us know if you need any further assistance with anything in the future.

Burp User | Last updated: Oct 18, 2019 04:12PM UTC

Thank you Ben! Turns out, I thought that admin panel access would be reflected on the admin webpage---turns out it wasn't. You just had to assume you had admin access/ since no errors were returned. I went ahead and ran the code to delete Carlos and it went through!

Burp User | Last updated: Jan 29, 2020 01:57PM UTC

Hi the solution does not explain why we must add the two carriage returns of it to work, does someone know ? thanks

Hannah, PortSwigger Agent | Last updated: Jan 30, 2020 10:00AM UTC

The final line of an HTTP request needs to be \r\n. In practicality, this equates to two carriage returns, due to the carriage return on the previous line. An example: Get /mysite/index.html HTTP/1.1\r\n Host: 10.101.101.10\r\n Accept: */*\r\n \r\n Source: https://docs.citrix.com/en-us/netscaler/12/appexpert/http-callout/http-request-response-notes-format.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.