search

defparam / smuggler

Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
MIT License
1.81k stars 294 forks source link

How to test HTTP smuggling using the payload from Smuggler with Turbo Intruder #16

Closed shelld3v closed 4 years ago

shelld3v commented 4 years ago

Hi, I just want to confirm, nothing much. First, when Smuggler detected a vulnerability, it will create a file in the /payloads directory contains the payload:

POST /?cb=402245071240945 HTTP/1.1
Transfer-Encoding: chunked
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 6
Cookie:  ...

0

X

Now, many bug bounty programs will require us to confirm the vulnerability, if we can't found a way to make the poisoned victim's request give us a signal, one of the only ways is using Turbo Intruder (of course, make sure that the website doesn't have too much traffic at the time, usually, this only happens in subdomains). So how can I test the payload using my Turbo Intruder? I have pasted the request into Burp Repeater, edited the host, right click, there are 2 options: Smuggle attacker (Cl.TE) and Smuggle attacker (TE.CL), I chose the correct option for my request (TE.CL) but something when wrong with my requests in Turbo Intruder. Did I forget something in my steps? I also want to ask what technique does Smuggler use to detect the vulnerability? Timeout technique, ...? (I think it is using the timeout to detect HTTP request smuggling)

shelld3v commented 4 years ago

Also, sorry if bad English 🌝

AmrSec commented 4 years ago

Why there is no answer ? Did you know shelld3v how to use it?

shelld3v commented 4 years ago

I don't know :) But I think I am going to close this thing now since there is no answer. Gonna learn other stuff, hate Request smuggling with this bad response :)

defparam commented 4 years ago

Hey thanks for being patient,

This tool isn't an exploitation tool it is a recon tool. It simply finds problematic HTTP requests that should be looked into further. It doesn't stage or teach how to stage any desync attacks. It provides you with the payload of the HTTP request that is problematic and you are expected to know how to exploit using Turbo Intruder and other tools.

My intention with this project is not to teach the exploitation of desync attacks, it is just to search for them. However if you want to take the payload and use it for exploitation you have to know how to read the payload file using python in the Turbo Intruder script and issue the attack with the request. This information is out of scope for this project so am not covering it here.

shelld3v commented 4 years ago

OK, @defparam! Is there no other option except quiet and don't care about this issue? Very well, then I will close this soon.

Thanks for letting me know:)

defparam commented 4 years ago

To be clear, the point of this tool isn’t to actively exploit hosts. It’s to find potential issues and give you the payload which caused it. It’s not this project’s concern that you don’t know what to do with the payloads it produces and it’s not my mission to teach you how to use turbo intruder.