Request Smuggling
OK so popular demand was to teach some request smuggling which is a cool concept.
It's a little tough to setup the vulnerable site for this, so I'm leaning on the PortSwigger labs (which were some of the first popularizers of this vuln).
I think this might be us walking through someone else's nice content but here's my TLDR:
- HTTP (POST) requests specify the content-length header
- The content-length header will say how much stuff I'm sending
- But I can screw with my request by sending more ways to specify content-length
- Sometimes I can sneak EXTRA DATA into my request that screws with the next request that comes in after mine.
- This happens with HTTP/1.1 and more with complex server configurations
There is a whole realm of web exploit where tweaking your HTTP headers can trigger unusual/insecure behavior in the servers you are targeting.
This class of attacks is at the intersection of network security and server configurations.
Here's an image from the PortSwigger blogs that captures the essence. I'll pivot over to their content now:
