The CRLF characters are not included correctly.
23 views
Skip to first unread message
Nur Muhammad Wafa
Aug 7, 2025, 9:09:31 AMAug 7
to ZAP User Group
Hi team, I am trying to exploit the HTTP request smuggling vulnerability, but there is an issue with handling chunked data, CRLF is not included correctly. This is evident when I debug through the output tab.
in the body of the request, it should look like this:
0\r\n
\r\n
G\r\n
\r\n
but, in the debug output, the request sent does not match, this may be the reason why the HRS exploitation I am attempting always fails.
after 0, \r not included.
Is it possible to create something to control CRLF characters to see if they are correct (perhaps something like what exists in Burp), or is there another solution that is easier to implement?
Thanks for reading this message.
Simon Bennetts
Aug 12, 2025, 10:33:15 AMAug 12
to ZAP User Group
Change the Request display option from Text to Hex.
You will then be able to see and edit the hex values :D
If you need to add or remove characters then switch back to hex, get the right number of characters in the relevant places then qswitch back to hex to change them.
If you need to add or remove characters then switch back to hex, get the right number of characters in the relevant places then qswitch back to hex to change them.
Is there a more use friendly way we could be doing this?
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages