PortSwigger/http-request-smuggler PortSwigger/http-request-smuggler

  • Stars
    star
    934
  • Rank 47,326 (Top 1.0 %)
  • Language
    Java
  • License
    Other
  • Created almost 5 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
PortSwigger/http-request-smuggler
github

PortSwigger

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

HTTP Request Smuggler

This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities, and also aids exploitation by handling cumbersome offset-tweaking for you.

This extension should not be confused with Burp Suite HTTP Smuggler, which uses similar techniques but is focused exclusively bypassing WAFs.

Install

The easiest way to install this is in Burp Suite, via Extender -> BApp Store.

If you prefer to load the jar manually, in Burp Suite (community or pro), use Extender -> Extensions -> Add to load build/libs/http-request-smuggler-all.jar

Compile

Turbo Intruder is a dependency of this project, add it to the root of this source tree as turbo-intruder-all.jar

Build using:

Linux: ./gradlew build fatjar

Windows: gradlew.bat build fatjar

Grab the output from build/libs/desynchronize-all.jar

Use

Right click on a request and click Launch Smuggle probe, then watch the extension's output pane under Extender->Extensions->HTTP Request Smuggler

If you're using Burp Pro, any findings will also be reported as scan issues.

If you right click on a request that uses chunked encoding, you'll see another option marked Launch Smuggle attack. This will open a Turbo Intruder window in which you can try out various attacks by editing the prefix variable.

For more advanced use watch the video.

Practice

We've released a collection of free online labs to practise against. Here's how to use the tool to solve the first lab - HTTP request smuggling, basic CL.TE vulnerability:

  1. Use the Extender->BApp store tab to install the 'HTTP Request Smuggler' extension.
  2. Load the lab homepage, find the request in the proxy history, right click and select 'Launch smuggle probe', then click 'OK'.
  3. Wait for the probe to complete, indicated by 'Completed 1 of 1' appearing in the extension's output tab.
  4. If you're using Burp Suite Pro, find the reported vulnerability in the dashboard and open the first attached request.
  5. If you're using Burp Suite Community, copy the request from the output tab and paste it into the repeater, then complete the 'Target' details on the top right.
  6. Right click on the request and select 'Smuggle attack (CL.TE)'.
  7. Change the value of the 'prefix' variable to 'G', then click 'Attack' and confirm that one response says 'Unrecognised method GPOST'.

By changing the 'prefix' variable in step 7, you can solve all the labs and virtually every real-world scenario.

More Repositories

1

turbo-intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Kotlin
1,112
star
2

param-miner

Java
1,001
star
3

backslash-powered-scanner

Finds unknown classes of injection vulnerabilities
Java
606
star
4

collaborator-everywhere

A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
Java
395
star
5

xss-cheatsheet-data

This repository contains all the XSS cheatsheet data to allow contributions from the community.
380
star
6

hackability

Probe a rendering engine for vulnerabilities and other features
JavaScript
362
star
7

BChecks

BChecks collection for Burp Suite Professional
320
star
8

dastardly-github-action

Runs a scan using Dastardly by Burp Suite against a target site and creates a JUnit XML report for the scan on completion.
Dockerfile
126
star
9

portable-data-exfiltration

This repo contains all the injections mentioned in my talk and enumerators.
JavaScript
87
star
10

distribute-damage

Evenly distributes scanner load across targets
Java
76
star
11

httpoxy-scanner

A Burp Suite extension that checks for the HTTPoxy vulnerability.
Java
76
star
12

replicator

Burp extension to help developers replicate findings from pen tests
Java
64
star
13

burp-extensions-montoya-api

Burp Extensions Api
Java
64
star
14

burp-extender-api

Burp Wiener API (Legacy)
Java
54
star
15

python-scripter

Sourced from gist: https://gist.github.com/mwielgoszewski/7026954
Python
50
star
16

css-exfiltration

HTML
43
star
17

serialization-examples

Java
33
star
18

aws-security-checks

AWS Security Checks
Python
31
star
19

example-hello-world

Java
31
star
20

server-side-prototype-pollution

Java
22
star
21

burp-extensions-montoya-api-examples

Examples for using the Montoya API with Burp Suite
Java
20
star
22

example-intruder-payloads

Java
19
star
23

example-scanner-checks

Java
18
star
24

reflected-parameters

Java
18
star
25

nice-script

A JavaScript sandbox using proxies
JavaScript
17
star
26

custom-logger

Java
16
star
27

example-custom-editor-tab

Java
15
star
28

example-event-listeners

Java
15
star
29

bseept

Burp Suite Enterprise Edition Power Tools
Python
13
star
30

3d-css-tutorial

HTML
12
star
31

example-custom-scan-insertion-points

Java
12
star
32

enterprise-reference-stack-for-aws

Smarty
7
star
33

viewstate-editor

Burp extension to add a view state tab to the message editor
Java
6
star
34

random-ip-address-header

Java
5
star
35

html5-auditor

Java
5
star
36

certsquirt

A golang PKI in less than 1000 lines of code.
Go
3
star
37

example-custom-session-tokens

Java
2
star
38

example-custom-logger

Java
2
star
39

manual-scan-issues

Java
2
star
40

websphere-portlet-state-decoder

Python
1
star
41

burp-jenkins-integration

Enterprise integration with Jenkins
Java
1
star
42

open-day

1
star
43

enterprise-helm-charts

Helm charts for BSEE Kubernetes installation.
Smarty
1
star