Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/benjitrapp/http-request-smuggling-lab
Two hacking challenges related to HTTP request smuggling
https://github.com/benjitrapp/http-request-smuggling-lab
hacking hacking-lab http-request-s nginx
Last synced: 12 days ago
JSON representation
Two hacking challenges related to HTTP request smuggling
- Host: GitHub
- URL: https://github.com/benjitrapp/http-request-smuggling-lab
- Owner: BenjiTrapp
- Created: 2022-03-18T15:16:14.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2022-03-22T07:55:29.000Z (almost 3 years ago)
- Last Synced: 2024-12-23T11:45:02.792Z (13 days ago)
- Topics: hacking, hacking-lab, http-request-s, nginx
- Language: HTML
- Homepage: https://benjitrapp.github.io/
- Size: 2.52 MB
- Stars: 15
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Ready to steal some treasures from Scrooge McDuck's Money Bin?
Read carefully this [site](https://portswigger.net/web-security/request-smuggling) and finish the tutorial to undertand this vulnerability. This kind of attack is very tricky to understand, but totally awesome when you finally see it in action.
If you still feel lost you can peek into the `SOLUTION.md` file in each of the labs - if you find another path to the flag send me a Pull Request and tell the world how you achieved it.
To get the labs done you will require at least these things:
* Docker and Docker-Compose
* A tool to intercept traffic like: [Burp](https://portswigger.net/burp/communitydownload), [Hetty](https://github.com/dstotijn/hetty) or [OWASP ZAP](https://github.com/zaproxy/zaproxy)
* Your favorite Browser with debugging tools
* Terminal to run curl, netcat etc.
* An IDE with support for the language you like (Spoiler: I used bash and python. Go and Java should work as well)
> The stuff in this repository is meant to be run only as CTF challenge. Do not use in production - use it in an isolated sandbox only. I'm not responsible for any damage caused by this code
* First at all: The technique behind HTTP request smuggling
* Stop using a Proxy as alternative to a Firewall and/or WAF - use it as an additional perimeter
* Don't trust your network blindly! Zero-Trust is hard to achieve but worth to iterate at it as an inspiration
Have fun and keep smuggling