Markdown Linting - SSI, SSRF, SSTI

Request Smuggling/README.md

@@ -2,32 +2,28 @@
 
 > HTTP Request smuggling occurs when multiple "things" process a request, but differ on how they determine where the request starts/ends. This disagreement can be used to interfere with another user's request/response or to bypass security controls. It normally occurs due to prioritising different HTTP headers (Content-Length vs Transfer-Encoding), differences in handling malformed headers (eg whether to ignore headers with unexpected whitespace), due to downgrading requests from a newer protocol, or due to differences in when a partial request has timed out and should be discarded.
 
-
 ## Summary
 
 * [Tools](#tools)
 * [Methodology](#methodology)
-    * [CL.TE Vulnerabilities](#cl.te-vulnerabilities)
-    * [TE.CL Vulnerabilities](#te.cl-vulnerabilities)
+    * [CL.TE Vulnerabilities](#clte-vulnerabilities)
+    * [TE.CL Vulnerabilities](#tecl-vulnerabilities)
     * [TE.TE Vulnerabilities](#tete-vulnerabilities)
     * [HTTP/2 Request Smuggling](#http2-request-smuggling)
     * [Client-Side Desync](#client-side-desync)
 * [Labs](#labs)
 * [References](#references)
 
-
 ## Tools
 
 * [bappstore/HTTP Request Smuggler](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) - An extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks
 * [defparam/Smuggler](https://github.com/defparam/smuggler) - An HTTP Request Smuggling / Desync testing tool written in Python 3
 * [dhmosfunk/simple-http-smuggler-generator](https://github.com/dhmosfunk/simple-http-smuggler-generator) - This tool is developed for burp suite practitioner certificate exam and HTTP Request Smuggling labs.
 
-
 ## Methodology
 
 If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as PortSwigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`.
 
-
 ### CL.TE Vulnerabilities
 
 > The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
@@ -58,10 +54,9 @@ Transfer-Encoding: chunked
 G
 ```
 
-
 ### TE.CL Vulnerabilities
 
-> The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. 
+> The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.
 
 ```powershell
 POST / HTTP/1.1
@@ -97,7 +92,6 @@ x=1
 
 :warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence `\r\n\r\n` following the final 0.
 
-
 ### TE.TE Vulnerabilities
 
 > The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
@@ -114,24 +108,22 @@ Transfer-Encoding
 : chunked
 ```
 
-
 ## HTTP/2 Request Smuggling
 
 HTTP/2 request smuggling can occur if a machine converts your HTTP/2 request to HTTP/1.1, and you can smuggle an invalid content-length header, transfer-encoding header or new lines (CRLF) into the translated request. HTTP/2 request smuggling can also occur in a GET request, if you can hide an HTTP/1.1 request inside an HTTP/2 header
 
-```
+```ps1
 :method GET
 :path /
 :authority www.example.com
 header ignored\r\n\r\nGET / HTTP/1.1\r\nHost: www.example.com
 ```
 
-
 ## Client-Side Desync
 
 On some paths, servers don't expect POST requests, and will treat them as simple GET requests, ignoring the payload, eg:
 
-```
+```ps1
 POST / HTTP/1.1
 Host: www.example.com
 Content-Length: 37
@@ -167,12 +159,11 @@ fetch('https://www.example.com/redirect', {
 })
 ```
 
-This script tells the victim browser to send a `POST` request to `www.example.com/redirect`. That returns a redirect which is blocked by CORS, and causes the browser to execute the catch block, by going to `www.example.com`. 
+This script tells the victim browser to send a `POST` request to `www.example.com/redirect`. That returns a redirect which is blocked by CORS, and causes the browser to execute the catch block, by going to `www.example.com`.
 
-www.example.com now incorrectly processes the `HEAD` request in the `POST`'s body, instead of the browser's `GET` request, and returns 404 not found with a content-length, before replying to the next misinterpreted third (`GET /x?x=<script>...`) request and finally the browser's actual `GET` request.
+`www.example.com` now incorrectly processes the `HEAD` request in the `POST`'s body, instead of the browser's `GET` request, and returns 404 not found with a content-length, before replying to the next misinterpreted third (`GET /x?x=<script>...`) request and finally the browser's actual `GET` request.
 Since the browser only sent one request, it accepts the response to the `HEAD` request as the response to its `GET` request and interprets the third and fourth responses as the body of the response, and thus executes the attacker's script.
 
-
 ## Labs
 
 * [PortSwigger - HTTP request smuggling, basic CL.TE vulnerability](https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te)
@@ -181,11 +172,10 @@ Since the browser only sent one request, it accepts the response to the `HEAD` r
 * [PortSwigger - Response queue poisoning via H2.TE request smuggling](https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning/lab-request-smuggling-h2-response-queue-poisoning-via-te-request-smuggling)
 * [PortSwigger - Client-side desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync/lab-client-side-desync)
 
-
 ## References
 
-- [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - October 16, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling)
-- [Advanced Request Smuggling - PortSwigger - October 26, 2021](https://portswigger.net/web-security/request-smuggling/advanced#http-2-request-smuggling)
-- [Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - James Kettle (@albinowax) - August 10, 2022](https://portswigger.net/research/browser-powered-desync-attacks)
-- [HTTP Desync Attacks: Request Smuggling Reborn - James Kettle (@albinowax) - August 7, 2019](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
-- [Request Smuggling Tutorial - PortSwigger - September 28, 2019](https://portswigger.net/web-security/request-smuggling)
+* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - October 16, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling)
+* [Advanced Request Smuggling - PortSwigger - October 26, 2021](https://portswigger.net/web-security/request-smuggling/advanced#http-2-request-smuggling)
+* [Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - James Kettle (@albinowax) - August 10, 2022](https://portswigger.net/research/browser-powered-desync-attacks)
+* [HTTP Desync Attacks: Request Smuggling Reborn - James Kettle (@albinowax) - August 7, 2019](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
+* [Request Smuggling Tutorial - PortSwigger - September 28, 2019](https://portswigger.net/web-security/request-smuggling)