Request Smuggling

1. `Content-Length`

Content-Length header - HTTP | MDNMDN Web Docs

The HTTP Content-Length header indicates the size, in bytes, of the message body sent to the recipient.

In the context of the HTTP Request Smuggling attack, a certain behavior of the Content-Length header can be exploited. This can happen when a value larger than the actual supplied body content is used as the value, resulting in the server to pause and wait for the rest of the content to arrive.

2. `Transfer-Encoding`

Transfer-Encoding header - HTTP | MDNMDN Web Docs

The possible values are:

deflate, gzip, compress
chunked

In the context of the HTTP Request Smuggling attack, we will be focusing on the chunked value:

POST / HTTP/ 1.1 
Host: ...
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

aa
actual data
0

At the beginning of each chunk, a string of hex digits indicate the size of the chunk-data (eg. aa), followed by a carriage-return and newline character (CRLF: \r\n), the chunk-data itself, followed by another CRLF, and finally a terminating zero-length chunk.

PreviousExploitable headers NextFramework specific

Last updated 3 months ago