Did anyone found the TE.CL section lab from HTTP Attacks module a bit contradictory? First TE smuggle is shown, then you force WAF to fall back to CL, not sure how the second GET request to admin (GET /admin HTTP/1.1
) is not blocked by WAF since CL (Content-Length: 4
) from first request stops at body block after 27\r\n (from the example) and the next one (to /admin) is processed, which should be stopped by WAF according to section (‘admin’ keyword).
You are not forcing WAF to fall back to CL. The HTTP protocol indicates that if both TE and CL headers exists then TE should always be used, so WAF uses TE and accepts the original request as a single request with 2 chunks, and forwards it to the backend as a single request. (there is no admin in the original request headers, it is in the body chunks, but that is allowed by the rules)
Now the backend has a vulnerability and doesnt follow the protocol. Gets the request and instead of TE uses CL, breakig down the request into two requests. Process the first one (up to the size indicated by CL) and then asumes the rest is part of the next call it will receive.
That’s the theory…but I cant get the flag on the exercise myself, did you?
EDIT: Nevermind, got the flag…Gotta remember when stuck, just read the ■■■■ Hint!
it was a tough one, i have to admit… it took me 2.5 weeks, found the culprit myself.
If you want we can exchange payloads in DM to compare.