diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md index 0638cbfa9..40f0902fa 100644 --- a/src/pentesting-web/http-request-smuggling/README.md +++ b/src/pentesting-web/http-request-smuggling/README.md @@ -282,6 +282,117 @@ When testing for request smuggling vulnerabilities by interfering with other req - **Load Balancing Challenges:** Front-end servers acting as load balancers may distribute requests across various back-end systems. If the "attack" and "normal" requests end up on different systems, the attack won't succeed. This load balancing aspect may require several attempts to confirm a vulnerability. - **Unintended User Impact:** If your attack inadvertently impacts another user's request (not the "normal" request you sent for detection), this indicates your attack influenced another application user. Continuous testing could disrupt other users, mandating a cautious approach. +## Distinguishing HTTP/1.1 pipelining artifacts vs genuine request smuggling + +Connection reuse (keep-alive) and pipelining can easily produce illusions of "smuggling" in testing tools that send multiple requests on the same socket. Learn to separate harmless client-side artifacts from real server-side desync. + +### Why pipelining creates classic false positives + +HTTP/1.1 reuses a single TCP/TLS connection and concatenates requests and responses on the same stream. In pipelining, the client sends multiple requests back-to-back and relies on in-order responses. A common false-positive is to resend a malformed CL.0-style payload twice on a single connection: + +``` +POST / HTTP/1.1 +Host: hackxor.net +Content_Length: 47 + +GET /robots.txt HTTP/1.1 +X: Y +``` + +Responses may look like: + +``` +HTTP/1.1 200 OK +Content-Type: text/html + +``` +``` +HTTP/1.1 200 OK +Content-Type: text/plain + +User-agent: * +Disallow: /settings +``` + +If the server ignored the malformed `Content_Length`, there is no FE↔BE desync. With reuse, your client actually sent this byte-stream, which the server parsed as two independent requests: + +``` +POST / HTTP/1.1 +Host: hackxor.net +Content_Length: 47 + +GET /robots.txt HTTP/1.1 +X: YPOST / HTTP/1.1 +Host: hackxor.net +Content_Length: 47 + +GET /robots.txt HTTP/1.1 +X: Y +``` + +Impact: none. You just desynced your client from the server framing. + +> [!TIP] +> Burp modules that depend on reuse/pipelining: Turbo Intruder with `requestsPerConnection>1`, Intruder with "HTTP/1 connection reuse", Repeater "Send group in sequence (single connection)" or "Enable connection reuse". + +### Litmus tests: pipelining or real desync? + +1. Disable reuse and re-test + - In Burp Intruder/Repeater, turn off HTTP/1 reuse and avoid "Send group in sequence". + - In Turbo Intruder, set `requestsPerConnection=1` and `pipeline=False`. + - If the behavior disappears, it was likely client-side pipelining, unless you’re dealing with connection-locked/stateful targets or client-side desync. +2. HTTP/2 nested-response check + - Send an HTTP/2 request. If the response body contains a complete nested HTTP/1 response, you’ve proven a backend parsing/desync bug instead of a pure client artifact. +3. Partial-requests probe for connection-locked front-ends + - Some FEs only reuse the upstream BE connection if the client reused theirs. Use partial-requests to detect FE behavior that mirrors client reuse. + - See PortSwigger "Browser‑Powered Desync Attacks" for the connection-locked technique. +4. State probes + - Look for first- vs subsequent-request differences on the same TCP connection (first-request routing/validation). + - Burp "HTTP Request Smuggler" includes a connection‑state probe that automates this. +5. Visualize the wire + - Use the Burp "HTTP Hacker" extension to inspect concatenation and message framing directly while experimenting with reuse and partial requests. + +### Connection‑locked request smuggling (reuse-required) + +Some front-ends only reuse the upstream connection when the client reuses theirs. Real smuggling exists but is conditional on client-side reuse. To distinguish and prove impact: +- Prove the server-side bug + - Use the HTTP/2 nested-response check, or + - Use partial-requests to show the FE only reuses upstream when the client does. +- Show real impact even if direct cross-user socket abuse is blocked: + - Cache poisoning: poison shared caches via the desync so responses affect other users. + - Internal header disclosure: reflect FE-injected headers (e.g., auth/trust headers) and pivot to auth bypass. + - Bypass FE controls: smuggle restricted paths/methods past the front-end. + - Host-header abuse: combine with host routing quirks to pivot to internal vhosts. +- Operator workflow + - Reproduce with controlled reuse (Turbo Intruder `requestsPerConnection=2`, or Burp Repeater tab group → "Send group in sequence (single connection)"). + - Then chain to cache/header-leak/control-bypass primitives and demonstrate cross-user or authorization impact. + +> See also connection‑state attacks, which are closely related but not technically smuggling: +> +>{{#ref}} +>../http-connection-request-smuggling.md +>{{#endref}} + +### Client‑side desync constraints + +If you’re targeting browser-powered/client-side desync, the malicious request must be sendable by a browser cross-origin. Header obfuscation tricks won’t work. Focus on primitives reachable via navigation/fetch, and then pivot to cache poisoning, header disclosure, or front-end control bypass where downstream components reflect or cache responses. + +For background and end-to-end workflows: + +{{#ref}} +-browser-http-request-smuggling.md +{{#endref}} + +### Tooling to help decide + +- HTTP Hacker (Burp BApp Store): exposes low-level HTTP behavior and socket concatenation. +- "Smuggling or pipelining?" Burp Repeater Custom Action: https://github.com/PortSwigger/bambdas/blob/main/CustomAction/SmugglingOrPipelining.bambda +- Turbo Intruder: precise control over connection reuse via `requestsPerConnection`. +- Burp HTTP Request Smuggler: includes a connection‑state probe to spot first‑request routing/validation. + +> [!NOTE] +> Treat reuse-only effects as non-issues unless you can prove server-side desync and attach concrete impact (poisoned cache artifact, leaked internal header enabling privilege bypass, bypassed FE control, etc.). + ## Abusing HTTP Request Smuggling ### Circumventing Front-End Security via HTTP Request Smuggling @@ -739,6 +850,8 @@ def handleResponse(req, interesting): ## Tools +- HTTP Hacker (Burp BApp Store) – visualize concatenation/framing and low‑level HTTP behavior +- https://github.com/PortSwigger/bambdas/blob/main/CustomAction/SmugglingOrPipelining.bambda Burp Repeater Custom Action "Smuggling or pipelining?" - [https://github.com/anshumanpattnaik/http-request-smuggling](https://github.com/anshumanpattnaik/http-request-smuggling) - [https://github.com/PortSwigger/http-request-smuggler](https://github.com/PortSwigger/http-request-smuggler) - [https://github.com/gwen001/pentest-tools/blob/master/smuggler.py](https://github.com/gwen001/pentest-tools/blob/master/smuggler.py) @@ -757,9 +870,10 @@ def handleResponse(req, interesting): - [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/) - [https://portswigger.net/research/trace-desync-attack](https://portswigger.net/research/trace-desync-attack) - [https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/) +- Beware the false false‑positive: how to distinguish HTTP pipelining from request smuggling – [https://portswigger.net/research/how-to-distinguish-http-pipelining-from-request-smuggling](https://portswigger.net/research/how-to-distinguish-http-pipelining-from-request-smuggling) +- [https://http1mustdie.com/](https://http1mustdie.com/) +- Browser‑Powered Desync Attacks – [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks) +- PortSwigger Academy – client‑side desync – [https://portswigger.net/web-security/request-smuggling/browser/client-side-desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md index 62523af89..fd8bec430 100644 --- a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md +++ b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md @@ -2,9 +2,22 @@ {{#include ../../banners/hacktricks-training.md}} -**Check the post [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)** +Browser-powered desync (aka client-side request smuggling) abuses the victim’s browser to enqueue a mis-framed request onto a shared connection so that subsequent requests are parsed out-of-sync by a downstream component. Unlike classic FE↔BE smuggling, payloads are constrained by what a browser can legally send cross-origin. + +Key constraints and tips +- Only use headers and syntax that a browser can emit via navigation, fetch, or form submission. Header obfuscations (LWS tricks, duplicate TE, invalid CL) generally won’t send. +- Target endpoints and intermediaries that reflect inputs or cache responses. Useful impacts include cache poisoning, leaking front-end injected headers, or bypassing front-end path/method controls. +- Reuse matters: align the crafted request so it shares the same HTTP/1.1 or H2 connection as a high-value victim request. Connection-locked/stateful behaviors amplify impact. +- Prefer primitives that do not require custom headers: path confusion, query-string injection, and body shaping via form-encoded POSTs. +- Validate genuine server-side desync vs. mere pipelining artifacts by re-testing without reuse, or by using the HTTP/2 nested-response check. + +For end-to-end techniques and PoCs see: +- PortSwigger Research – Browser‑Powered Desync Attacks: https://portswigger.net/research/browser-powered-desync-attacks +- PortSwigger Academy – client‑side desync: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync + +## References +- [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks) +- [https://portswigger.net/web-security/request-smuggling/browser/client-side-desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync) +- Distinguishing pipelining vs smuggling (background on reuse false-positives): https://portswigger.net/research/how-to-distinguish-http-pipelining-from-request-smuggling {{#include ../../banners/hacktricks-training.md}} - - -