Lab: HTTP request smuggling, basic CL.TE vulnerability

Рет қаралды 16,178

Күн бұрын

Пікірлер: 39

@netletic Жыл бұрын

Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀 kzbin.info/aero/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw Here are the timestamps for this video - ⏱ 00:00 - Intro 00:16 - Pick an endpoint 00:33 - Prepare Repeater for Request Smuggling 01:47 - Detect the CL.TE vulnerability 03:31 - Confirm the CL.TE vulnerability

@cymzfr Жыл бұрын

this is first time that i understand request smuggling .... perfect explanation . thank you so much

@netletic Жыл бұрын

thanks a mil @muzaffarsultan6409, glad it was helpful!

@cymzfr Жыл бұрын

@@netletic can I ask you something? Why do you not bring reports of a smuggling request and explain why it occurred and how an attacker exploited it

@netletic Жыл бұрын

that's an interesting idea, I might do something like that in the future! In the meantime, @BugBountyReportsExplained has done a video like that over here: kzbin.info/www/bejne/nauwZaqNdpyFfNE - it's a good explanation about how a request smuggling vulnerability was found in the wild :)

@cymzfr Жыл бұрын

@@netletic ok bro thanks , I hope you do it

@matteo910 Жыл бұрын

only high quality video I could find with explanations to go along with it - thanks

@netletic Жыл бұрын

thanks for the kind words @matteo910!

@vinayakpatil5214 6 ай бұрын

Impressed with the way you demonstrate each action to perform

@old_schools 10 ай бұрын

Thank you very much for awesome walkthrough. This video is very detailed explanation, with the easy method to determine the size of content-length, because I sometimes stuck with content-length settings to make HRS works. Keep updated for another videos about Portswigger Labs. Always success for Jarno Timmermans Very very helpful 👍

@bloodmann264 Жыл бұрын

As expected, Jarno's videos are quality material. good explaination. Very reliable. Thanks brother~!

@netletic Жыл бұрын

thank you @bloodmann264! ☺️

@cowid 5 ай бұрын

MASSIVE thanks for putting all that together ! This is REALLY helpful. Do the infographics come from PS or you created those yourself? I couldn't find them in the academy.

@bolbolinfosec1376 10 ай бұрын

Daaamn❤‍🔥❤‍🔥❤‍🔥 bro, I can't believe your content is free! Thank you, bro, thank you. I'm in love with your explanations and your videos. You're really trying to make us understand, i wich you the best in ur life thank u💗💗💗 Believe me, bro, if you keep doing this, you can be one of the best tutors in the field.❤‍🔥

@panchakosha Жыл бұрын

I humbly request videos on the HRS Expert labs. :) I haven't found any good walkthroughs for those yet. Seriously though, these are great explanations. I would love to see videos like these for all labs in the academy, but that would take a long time and be quite the feat.

@netletic Жыл бұрын

thanks for the kind words @panchakosha! I'm making about one video a week and should get to the expert request smuggling labs in a few! :)

@moin_256 5 ай бұрын

What a professional explanation!

@jackdarton5499 11 ай бұрын

great explanation, is request smuggling still a common vulnerability or is it not so common anymore and hard to find?

@netletic 11 ай бұрын

hey @jackdarton5499, I think http request smuggling vulnerabilities will still be around for as long as http/2 isn't implemented end-to-end. Most recently I've seen this talk at ShmooCon 2024 - kzbin.info/www/bejne/l3yzcotmZcuna9U - where these guys found new vulnerabilities and parsing inconsistencies by leveraging the HTTP Garden project (github.com/narfindustries/http-garden). We also saw the F5 RCE last year. (www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/) For general http request smuggling vulnerabilities within an application I think I'd focus on testing URI paths that I suspect might be a separate service with its own backend, where the backend might be using a backend that's more niche. In these PortSwigger labs we usually start with the homepage and go from there, but I think it's important to remember that large applications consist of different services managed by different teams that each might be using different backend systems - that's where I'd focus on today if I were trying to find request smuggling vulnerabilities.

@anonymousvevo8697 8 ай бұрын

Amazing explanations

@harry09_08 4 ай бұрын

Perfect explanation!!!!

@sysxdragonfire7083 5 ай бұрын

Awesome explanations. I'm a bit dissappointed that portswigger does not make such good explanations and also there missing some stuff that you are explaining. Are your slides somewhere available for example as cheat sheet? This would be really helpfull.

@topclubgo 9 ай бұрын

HTTP/1.1 405 Not Allowed i didn't get a 200 OK what does it mean

@KingJendrik 8 ай бұрын

Where can I find the map with the bullet points for "Prepare Burp for Request Smuggeling" or "Detect"?

@youssr5302 8 ай бұрын

this video best of the best explanations

@bloodmann264 Жыл бұрын

Can you explain why the very first request when we convert it to POST, when sent, why does it give timeout on HTTP 1.1 but 200-ok on HTTP 2.0?

@netletic Жыл бұрын

hey @bloodmann264, HTTP/2 messages are sent over the wire as a series of separate "frames". Each frame is preceded by an explicit length field, which tells the server exactly how many bytes to read in. What I suspect is the case in this lab, is that HTTP/2 is supported end-to-end, i.e. between client and frontend, and between frontend and backend. If we try that timing technique with HTTP/2, the frontend is likely ignoring the Content-Length and Transfer-Encoding headers we set explicitly ourselves, and is using HTTP/2's built-in Content-Length mechanism instead. Hence this lab is only vulnerable to this particular class of request smuggling attack if we downgrade to HTTP/1.1, as then the frontend will use the Content-Length header we set ourselves, and will pass on the Transfer-Encoding header we've set to the backend.

@codermomo1792 5 ай бұрын

you are a real legend!

@nguyenthanhcong92 Жыл бұрын

wow, I found you ahaha really good explanation, thank you for that

@netletic Жыл бұрын

thank you @nguyenthanhcong92! ❤️

@0xbeven462 Жыл бұрын

Nice content and tutorials, also do prototype pollution

@netletic Жыл бұрын

thank you @0xbeven462 ! once I've finished up the series on request smuggling I'll tackle prototype pollution next ☺️ will likely do a few videos on the new GraphQL labs in between