Closed AlessandroZ closed 5 years ago
albinowax
commented
5 years ago Thanks for the report. The plugin seems to be sending this payload correctly when I test it myself. Could you double check two things:
AlessandroZ
commented
5 years ago Ok I managed to understand the error. You were right the plugin detects well the vulnerability.
I had checked swap - with _ so it didn't work with Transfer_Encoding.
Then I don't know why but between the 9th and 10th request sent I have like 2-3min of latency, so I thought, it was over. But waiting a bit, the vulnerability has well been detected.
Everything is more clear now. Thanks again for your help. :+1:
Hi @albinowax,
I have managed to exploit an http request smuggling but I have noticed a difference between the burp scanner (version pro) and the http request smuggler plugin.
Running the plugin, nothing is detected whereas running burp scanner, it detects well the vulnerability.
I have checked the difference between both using logger++.
The working request uses this pattern:
This one works and is well detected by the Burp scanner. However, any modification of this pattern affects the result. For example, if you inverse the
Transfer-EncodingandHosthttp header, does not work anymore.When I launch HTTP request smuggling plugin, I can see in logger++ that the
Transfer-Encodingheader is added after theContent-Length. I can see these two requests:And this one
So in my case, the server response well and the plugin didn't find anything. So I was wondering why this difference and if it's possible to force these check using this plugin.
Thanks a lot for your work and for everything you do for the community.
Your work is impressive and awesome !