Http Request Smuggling

Overview

HTTP Request Smuggling is a technique that exploits differences in how front-end proxies and back-end servers parse HTTP Content-Length and Transfer-Encoding headers. This allows an attacker to "smuggle" malicious requests through the proxy.

HTTP request smuggling can lead to cache poisoning, session hijacking, and bypassing security controls.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Http Request Smuggling:

POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Foo: x

Transfer-Encoding: chunked, HTTP/1.1 vs CL.TE de-sync

Transfer-Encoding: xchunked (obfuscated TE header)

Tools & Techniques

Recommended tools for Http Request Smuggling:

• Test CL.TE (Content-Length vs Transfer-Encoding)
• Test TE.CL (Transfer-Encoding vs Content-Length)
• Test TE.TE (Transfer-Encoding obfuscation)
• Use Burp Suite HTTP Request Smuggler extension
• Turbo Intruder for automated smuggling testing

Prevention & Mitigation

Security recommendations to prevent Http Request Smuggling:

• Use HTTP/2 for front-end to back-end communication
• Disable HTTP/1.0 keep-alive connections
• Configure front-end to normalize conflicting headers
• Use consistent request parsing across all servers
• Apply strict validation of Content-Length and Transfer-Encoding headers

References

Additional resources:

• https://portswigger.net/web-security/request-smuggling
• https://github.com/PortSwigger/http-request-smuggler
• https://www.acunetix.com/blog/articles/http-request-smuggling/