Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀 ua-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html Here are the timestamps for this video - ⏱ 00:00 - Intro 00:30 - Confirm the CRLF vulnerability 01:50 - Leak the internal headers using CRLF injection 05:30 - Smuggle a request to the admin page 09:36 - Use a HEAD request instead of GET
10:00 we don't need an endpoint to match the CL of the admin page, instead we can use the GET /?search= , we should add the search terms until it matches the /admin endpoint's content length (3521)
hey @gopikanna_, it's always good to try both, sometimes frontend implementations will strip CRLFs from header values when converting the request to http/1.1 to talk to the backend - essentially fixing this vulnerability - but not from the header name. Then we can still exploit this by injecting CRLFs in the header name.
Hey everyone! Check out this playlist for all my solutions to the HTTP Request Smuggling labs from PortSwigger - 👀
ua-cam.com/play/PLGb2cDlBWRUX1_7RAIjRkZDYgAB3VbUSw.html
Here are the timestamps for this video - ⏱
00:00 - Intro
00:30 - Confirm the CRLF vulnerability
01:50 - Leak the internal headers using CRLF injection
05:30 - Smuggle a request to the admin page
09:36 - Use a HEAD request instead of GET
rak mqawd a khay thank you so much !
@@netletic haha i bet you didn't understand the first two words
10:00 we don't need an endpoint to match the CL of the admin page, instead we can use the GET /?search= , we should add the search terms until it matches the /admin endpoint's content length (3521)
hey @gopikanna_, that's an excellent find! definitely also a great way to work around the content-length issue 🔥
@@netletic Thank you for your appreciation man!
1:23 why're we adding the Host values in the name of the foo header name section? Instead of adding them in the values section
hey @gopikanna_, it's always good to try both, sometimes frontend implementations will strip CRLFs from header values when converting the request to http/1.1 to talk to the backend - essentially fixing this vulnerability - but not from the header name. Then we can still exploit this by injecting CRLFs in the header name.
@@netletic Understood, thank you for your reply
what is the difference if we injected the payload into the name or the value ? i got mixed up
the content is great 👍🏻 but you talk tooooo fast 😅