HTTP Desync Attack (Request Smuggling) - Mass Account Takeover

NOTE to respect the nondisclosure policy of the program, the actual vulnerable asset is not disclosed and the same has been referenced as my.vulnerable.com wherever necessary.

I had found an HTTP Desync (Request Smuggling) vulnerability affecting one of the cryptocurrency payment system (https://my.vulnerable.com) along with 121 other hosts utilizing the Distil Bot protection.

It was observed that the front end server is using the Content-Length while the back end server is making use of Transfer-Encoding header to determine the length of an HTTP request. This desynchronization in determining the length of request between the servers could be abused into escalating a Mass Account Takeover scenario by utilizing the POST parameters of urlencoded form to log requests of legit users.

Proof of Concept - Basic -:

Please NOTE that in an effort to provide the key proof of concept in the most basic and realistic form, the entire demonstration was carried out by utilizing two different machines operating at two different public IP addresses (one to depict victim and other for attacker) by making the use of Burp’s native intruder instead of Turbo intruder. It should also be noted that the following form of testing would cause realtime disruption against the genuine users and so during the submission of this report, the entire assessment was carried out within the staging…