Chunked encoding is defined in the HTTP specification. Chunked encoding modifies the body of an HTTP message in order to transfer it as a series of pieces or "chunks" of various sizes. The size of each chunk is defined by its own size indicator. A chunked HTTP message is followed by an OPTIONAL trailer containing entity-header fields. Metasploit has the option of turning on chunked HTTP encoding for filter evasion. Most modern filters will, of course, sew the chunks back up into complete messages. This still serves a useful purpose of ensuring that filters are working as they should and that they are not vulnerable to any of the DOS bugs that have been found in filter handling of chunked HTTP.
Example of regular HTTP message: HTTP/1.1 200 OK Date: Fri, 31 Dec 1999 23:59:59 GMT Content-Type: text/plain Content-Length: 42 some-footer: some-value another-footer: another-value
This is a long string of suspect content that a filter or string search might flag
Example of a chunked HTTP message:
HTTP/1.1 200 OK Date: Fri, 31 Dec 1999 23:59:59 GMT Content-Type: text/plain Transfer-Encoding: chunked 1a; ignore-stuff-here This is a long string 10 of suspect content that a fi 10 lter or string search might 10 flag 0 some-footer: some-value another-footer: another-value [blank line here]