webPromedium
Lab 4 — EdgeRelay — HTTP Request Smuggling via CL-TE Desync
hackadvisor
Task: EdgeRelay CDN platform has a Connection Tester that forwards raw HTTP requests to internal API; /internal/* endpoints are blocked by security filter using Content-Length validation. Solution: CL-TE HTTP request smuggling — send both Content-Length and Transfer-Encoding headers to desync proxy and backend, smuggling a GET /internal/config request inside a legitimate POST body to retrieve the master_api_key flag.
$ ls tags/ techniques/
nodejsnginxexpresshttp_request_smugglingcl_te_desynccontent_lengthtransfer_encodinginternal_api_bypassurl_validation_bypassraw_http_forwarding
cl_te_request_smugglingcontent_length_transfer_encoding_desyncsecurity_filter_bypassinternal_endpoint_accessrequest_pipelining_abuse
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor
- [web][Pro]Lab 347 — PushRelay — SSRF via URL Parsing Confusion in Webhook Tester— hackadvisor
- [web][Pro]DevRelay — Open Redirect in OAuth Authorization— hackadvisor
- [web][Pro]Lab 375 — PageFlow — Web Cache Deception via Path Normalization— hackadvisor
- [web][Pro]DeployVault — Path Confusion to SSRF Chain— hackadvisor