webPromedium

Lab 222 — DeployForge — CL.0 HTTP Request Smuggling via Health Check Endpoint

hackadvisor

Task: CI/CD platform with nginx proxy blocking /admin/secrets; /api/health endpoint ignores Content-Length (CL.0 vulnerable). Solution: CL.0 HTTP request smuggling — POST to /api/health with body containing smuggled GET /admin/secrets prefix, backend ignores body and processes smuggled request, bypassing nginx ACL.

nodejs nginx express http_request_smuggling reverse_proxy admin_bypass honeypot_decoy health_check content_length cl0_desync cicd_platform

anti_honeypot_awarenesscl0_request_smugglingcontent_length_ignored_by_backendhealth_check_endpoint_abusenginx_acl_bypassrequest_pipelining

$ ls tags/ techniques/

nodejs nginx express http_request_smuggling reverse_proxy admin_bypass honeypot_decoy health_check content_length cl0_desync cicd_platform

anti_honeypot_awarenesscl0_request_smugglingcontent_length_ignored_by_backendhealth_check_endpoint_abusenginx_acl_bypassrequest_pipelining

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub, Discord, or Google to continue. No email required.

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 220 — RouteForge — TE.TE HTTP Request Smuggling via Proxy Header Parsing— hackadvisor
[web][Pro]Lab 4 — EdgeRelay — HTTP Request Smuggling via CL-TE Desync— hackadvisor
[web][Pro]DeployVault — Path Confusion to SSRF Chain— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor
[web][Pro]Lab 240 — DeployForge — Prototype Pollution to RCE via Lodash Merge— hackadvisor