- by x32x01 ||
HTTP Request Smuggling is one of the most dangerous web vulnerabilities in modern applications 
.
It doesn’t rely on broken authentication or bad code - it exploits protocol ambiguity in HTTP/1.1.
HRS affects infrastructures like:
Modern web architecture often looks like this 
:
Client → CDN / Proxy → Load Balancer → WAF → Backend Server
Each component must decide:
This desync is the core concept behind HRS.
HTTP/1.1 allows two ways to define request length:
HTTP Request Smuggling can lead to high-impact issues 
:
Front-End: Uses
Back-End: Uses
Payload Example:
How it works:
Front-End: Uses
Back-End: Uses
Payload Example:
Result:
Attackers bypass strict filters using malformed headers:
or
or
Different servers interpret these headers differently → request desync occurs.
Attackers often combine tricks to evade detection 
:
Detection usually involves sending malformed requests and observing anomalies:
Block requests with both
Ensure all components parse HTTP exactly the same.
HTTP/2 removes request boundary ambiguity.
Prevent desync on persistent connections.
Convert headers to a canonical format before forwarding.
WAF must parse requests exactly like backend servers.
Many high-value bug bounty reports exist because of HRS:
.
HTTP Request Smuggling is a silent killer:
.It doesn’t rely on broken authentication or bad code - it exploits protocol ambiguity in HTTP/1.1.
HRS affects infrastructures like:
- Reverse proxies
- Load balancers
- Caches
- WAFs
- Backend servers
Why HTTP Request Smuggling Exists
Modern web architecture often looks like this :Client → CDN / Proxy → Load Balancer → WAF → Backend Server
Each component must decide:
- Where the request body starts
- Where it ends
- When the next request begins
This desync is the core concept behind HRS.
Root Cause
HTTP/1.1 allows two ways to define request length:- Content-Length
- Transfer-Encoding: chunked
- One server may trust Content-Length
- Another may trust Transfer-Encoding
Real-World Consequences
HTTP Request Smuggling can lead to high-impact issues :- Authentication bypass
- Account takeover
- Cache poisoning attacks
- Stored XSS delivery to users
- CSRF bypass
- Stealing session cookies
- Exploiting internal endpoints
- Performing actions as other users
HRS Attack Variants
1) CL.TE Attack (Content-Length → Transfer-Encoding)
Front-End: Uses Content-LengthBack-End: Uses
Transfer-Encoding
Payload Example:
Code:
POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 56
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable.com- Proxy reads body using Content-Length
- Backend reads chunked body and stops at 0
- Remaining request (GET /admin) becomes a hidden request
- Attacker reaches protected endpoint
2) TE.CL Attack (Transfer-Encoding → Content-Length)
Front-End: Uses Transfer-EncodingBack-End: Uses
Content-LengthPayload Example:
Code:
POST / HTTP/1.1
Host: vulnerable.com
Transfer-Encoding: chunked
Content-Length: 4
5e
GET /admin HTTP/1.1
Host: vulnerable.com
0- Front-end processes chunked encoding
- Backend reads only 4 bytes
- Remaining data becomes a hidden request
3) TE.TE Attack (Obfuscated Transfer-Encoding)
Attackers bypass strict filters using malformed headers: Code:
Transfer-Encoding: chunked
Transfer-Encoding: xchunked Code:
Transfer-Encoding : chunked Code:
Transfer-Encoding: chunked,chunked
Advanced Smuggling Techniques
Attackers often combine tricks to evade detection :- Header obfuscation (
Transfer-Encoding\t: chunked) - Line wrapping tricks
- Case manipulation (
tRaNsFeR-EnCoDiNg) - Whitespace injections
- HTTP pipelining abuse
- Cache poisoning via smuggled responses
- Session fixation using smuggled Set-Cookie
How Attackers Detect HRS
Detection usually involves sending malformed requests and observing anomalies:- Response desynchronization
- Delayed responses
- Unexpected status codes
- Backend error messages
- Cache behavior anomalies
- Burp Suite (Request Smuggler)
- Custom Python scripts
- Raw socket testing
Defense & Mitigation (Critical)
1. Reject Ambiguous Requests
Block requests with both Content-Length and Transfer-Encoding. 2. Strict RFC Compliance
Ensure all components parse HTTP exactly the same. 3. Use HTTP/2 Internally
HTTP/2 removes request boundary ambiguity. 4. Disable Backend Connection Reuse
Prevent desync on persistent connections. 5. Normalize Headers
Convert headers to a canonical format before forwarding. 6. WAF is Not Enough
WAF must parse requests exactly like backend servers. 7. Logging & Monitoring
- Track unusual request lengths
- Detect malformed HTTP headers
- Alert on protocol anomalies
Example Secure Configuration
- Single authority defines request boundaries
- Proxy strips duplicate headers
- Backend trusts only proxy
- Enforce maximum request size
Bug Bounty Tips
Many high-value bug bounty reports exist because of HRS:- Admin panels accessed without auth
- User accounts hijacked
- Sensitive endpoints abused
.
Final Words
HTTP Request Smuggling is a silent killer:- No alerts
- No crashes
- Just logic abuse