- Status Closed
- Assigned To No-one
- Private
Opened by waloodi_109 - 25.09.2025
Last edited by cbay - 25.09.2025
FS#216 - Client-Side Desync Http Request Smuggling in https://admin.alwaysdata.com/site/resolver/
#Client-Side Desync Http Request Smuggling in https://admin.alwaysdata.com/site/resolver/
Severity(Critical)
Hello Team, I hope you are doing well. While, Researching in your domain, I found Client-side desync in https://admin.alwaysdata.com/site/resolver/ vulnerability in your domain.
#Steps to Reproduce:
1. Go to https://admin.alwaysdata.com/site/resolver/ and Capture the request in Burp.
2. Paste the code to perform Client-side desync ( Code is Below):
POST /site/resolver/ HTTP/1.1
Host: admin.alwaysdata.com
Cookie: csrftoken=; mtm_consent=; roundcube_sessid=*; roundcube_sessauth=*; django_language=fr; sessionid= Content-Type: text/plain
Content-Length: 104
Transfer-Encoding: chunked
0
GET /en/ HTTP/1.1
Host: www.alwaysdata.com Content-Type: text/plain
{
"addresses":["<script>alert(1)</script>"
]
}
3. Run this Request and you can see 2 Responses occurs.
4. Send this Request multiple time and see it's Caching the request( Screenshot attached Below).
#Video is attached below for confirming Client-Side Desync Http Request Smuggling
# Impacts of client-side desync:
Inject malicious scripts: Smuggle a request that injects a malicious script into a victim's session.
Hijack the session: Use the injected script to steal the victim's session cookie, allowing the attacker to impersonate the victim.
Force authenticated actions: The attacker can compel the victim's browser to perform unauthorized actions on their behalf.
Web cache poisoning
If the vulnerable endpoint involves a web cache, a CSD can be leveraged to poison it.
Redirect users: An attacker could poison the cache to redirect users to a malicious site, potentially leading to phishing or other scams.
Sensitive information disclosure
A CSD can force a victim's browser to send a request that leaks sensitive information, such as their session cookies
Denial of service (DoS)
Overwhelming a server with malformed or inconsistent requests can cause it to become unstable or unresponsive, leading to a denial-of-service condition.
Thank You,
Waleed Anwar
bandicam 2025-09-25 19-37-28-...
(8.17 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Caching the Response
Hello,
It's because you have 2 requests, not one (one POST and one GET).
The GET is cached, which is normal.
The rest of your issue doesn't make any sense, sorry. Your video shows no vulnerability whatsoever.
Kind regards,
Remove the second request, it show's 2 responses
In video, you can see that https://admin.alwaysdata.com/jsi18n/ response is misinterpretating with www.alwaysdata.com, attacker can redirect victim to a phishing page to steal the data
Then send a video where you manage to redirect a victim to a phishing page then.
There is a Client Side Desync appear in the request, you can remove the GET request to see it's generating 2 responses with 1 request
https://siunam321.github.io/ctf/portswigger-labs/HTTP-Request-Smuggling/smuggling-20/