Request smuggling – do more than running tools! HTTP Request smuggling bug bounty case study
✉️ Sign up for the mailing list: https://bbre.dev/nl
???? Follow me on Twitter: https://bbre.dev/tw
Request smuggling is an amazing bug class! But I barely ever did more than running Request Smuggler. So I’ve analysed tens of reports and in this video, I’ll break down the most common root causes and I’ll give you some ideas for future research.
???? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Reports mentioned in the video:
Reports mentioned in the video:
Whitespace characters in CL/TE headers
https://hackerone.com/reports/1501679
https://hackerone.com/reports/1630667
Incorrect prioritization of CL/TE
https://hackerone.com/reports/488147
Multiple TE/CL headers
https://hackerone.com/reports/867577
Ignoring the TE/CL headers
https://blog.jeti.pw/posts/knocking-on-the-front-door/
Not closing the connection
https://regilero.github.io/english/security/2019/10/17/security_apache_traffic_server_http_smuggling/
HTTP/2 downgrade forwarding CL/TE
https://portswigger.net/research/http2
Only n or r as a newline
https://hackerone.com/reports/2032842
Not a literal “chunked” TE
https://hackerone.com/reports/1594627
https://youtu.be/4Y8jbEfX3us
CRLF injection
https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning
https://members.bugbountyexplained.com/novel-ways-of-http-request-splitting/
Trailer parsing
https://hackerone.com/reports/2280391
H2C upgrade
https://www.assetnote.io/resources/research/h2c-smuggling-in-the-wild
Converting r to –
https://hackerone.com/reports/922597
Chunk extensions
https://hackerone.com/reports/1238099
Timestamps:
00:00 Intro
00:34 Whitespace characters in CL/TE headers
3:45 Incorrect prioritization of CL/TE headers
5:26 Multiple TE/CL headers
7:22 Ignoring the TE/CL headers
10:05 Not closing the connection
11:40 HTTP/2 downgrade forwarding CL/TE
14:02 Only n or r as a newline
15:35 Not a literal “chunked” TE
16:39 CRLF injection
17:49 Trailer parsing
19:26 H2C upgrade
20:42 Converting r to –
22:20 Chunk extensions
Add comment