0

hi I started to find bug bounty vulnerabilities and i think i found a te.cl vulnerability in a website.

i send

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: subdomain.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 6

0

GET / HTTP/1.1
Host: subdomain.domain.com

and i get in return

HTTP/1.1 302 Moved Temporarily
Location: https://other_subdomain.domain.com/somewhere/
Server: server_name
Content-Length: 0
Date: Thu, 04 Feb 2021 02:27:57 GMT
Connection: keep-alive

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 216
Expires: Thu, 04 Feb 2021 02:27:57 GMT
Date: Thu, 04 Feb 2021 02:27:57 GMT
Connection: close

<HTML><HEAD>
<TITLE>Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Reference&#32;&#35;7&#46;9697f648&#46;1612405677&#46;0
</BODY>
</HTML>

what did i miss? how can i make the second request be a legitimate request?

eyal
  • 73
  • 1
  • 3

1 Answers1

2

what did i miss?

You've missed that you've explicitly constructed a request which is open to multiple interpretations and that the best answer a server could do to this is to reject this request. And that's exactly what the server did, i.e. perfectly normal and sane behavior.

how can i make the second request be a legitimate request?

Ideally, all servers would reject such kind of requests. There are many other ways requests might be open to multiple interpretations - see for example HTTP request smuggling. If you are lucky some of these methods work, but from the perspective of security I hope that none work against the specific target.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424