thank you @NickBot09!

thanks @bloodmann264! that's very nice to hear ☺️ I'll patiently keep going, thanks for the kind words! 😁

@@netletic The patience you have to explain stuff and go slow- brick by brick to explain, is amazing, It helps people understand. Thanks for that as well. That quality is unique and I hope it takes you forward☺

😂 thank you sir!

Cheers @alexandreromao7978!

thanks @loskyli5633! You can add the Host header to the GPOST request as well, it's optional in this lab since the main purpose of the Host header is for the frontend to route it to the correct backend. Since the GPOST request was smuggled in, it was already routed to the correct backend by the frontend since it piggybacked on the POST / request above.

thanks @lazarep1! yep I'm finishing up the HTTP request smuggling labs in November, and then I'll be picking another advanced topic ☺️

I feel like web cache poisioning and deserialization are the 3 hardest, so my wish would be either one of those. Thanks for the content@@netletic

Thanks for the kind words @doya8130!

Hey Tarek, thanks for your question! The way I understand it is: - we send our Attack Request with a Smuggled Content-Length of 5 - which is our actual Smuggled Content-Length - the backend first responds to our request up to and including 56 with a 200 OK - in addition the backend is poisoned with our prefix from GPOST up until and including 0 - but our prefix is a complete request, with a clear and valid start and end to our request - in the case of this lab, the backend server will simply process - and execute - our GPOST request - but we don't get to see the Response to that GPOST request - and when we send our Normal Request, since the GPOST request was already processed, our Normal Request is processed normally - and gets back a 200 OK For this lab I confirmed that the backend server simply executes our Smuggled Request when we set the Smuggled Request Content-Length to the actual Content-Length by changing the GPOST into a POST request that posts a comment on one of the blog posts. When I sent that Attack Request I immediately saw that a comment "y 0" was posted, proving that the backend server executed our Smuggled Request. See an example here if you'd like to test this yourself: pastebin.com/GwAduwSb If we set our Smuggled Content-Length to a minimum of our Actual Smuggled Content-Length + 1, the backend server expects at least 1 more byte to come in, and will only process our Smuggled Request once the next request - our Normal Request - comes in. In a real scenario you want to increase the Smuggled Content-Length quite a bit so you can see as much as possible of a potential victim's request posted as a comment. E.g. that way you can steal the victim's session cookie.

@@netletic Thank you so much that's literally what I was looking for!! :D

Hey Tarek, I hope I answered this question in my reply to your previous comment! 😊

hey @jaywandery9269, it's definitely more niche but http request smuggling vulnerabilities are still being found today - and likely will be for as long as http/2 isn't used end-to-end. Most recently I've seen this talk at ShmooCon 2024 - kzbin.info/www/bejne/l3yzcotmZcuna9U - where these guys found new vulnerabilities and parsing inconsistencies by leveraging the HTTP Garden project (github.com/narfindustries/http-garden). We also saw the F5 RCE late last year. (www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/) For general http request smuggling vulnerabilities within an application I think I'd focus on testing URI paths that I suspect might be a separate service with its own backend, where the backend might be using a backend that's more niche. In these PortSwigger labs we usually start with the homepage and go from there, but I think it's important to remember that large applications consist of different services managed by different teams that each might be using different backend systems - that's where I'd focus on today if I were trying to find request smuggling vulnerabilities.

thank you@@netletic I will definetly have a look at the talk. Cheers!

I'll see if I can export the slides next week and share it with you as pdf 👍

thank u so much

Haha, thanks @pranjalruhela1103, glad you found it respectable 😂

thank you @shutingyang7623! ❤️

hey @_ILunar - Indeed, the Content-Length of that attack request, counting CRLFs as well, is 10 bytes. But in order to ensure that at least 1 byte of our normal request, or a victim's request, is appended to the GPOST prefix that we poisoned the backend with using this attack request, we need to set the Content-Length of our Smuggled GPOST Request to "actual_content_length + 1". The lab solution uses Content-Length 15, which works fine as well. It's greater than "actual_content_length + 1", and it's less than "actual_content_length + length of content of our own normal request or a victim's normal request".

thanks sir, i understanded