OpenSkillIndex← back to search

Hacktricks-skills http-response-smuggling-desync

HTTP Response Smuggling and Desync attack testing. Use this skill whenever the user needs to test for HTTP response queue desynchronisation vulnerabilities, wants to steal victim responses, perform cache poisoning, or exploit response splitting. Trigger on requests about HTTP smuggling, response desync, proxy desynchronisation, cache poisoning via HTTP, or stealing other users' responses through HTTP request smuggling.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/http-response-smuggling-desync/SKILL.MD
source content

HTTP Response Smuggling / Desync Testing

This skill helps you test for HTTP Response Smuggling vulnerabilities, where you abuse HTTP Request Smuggling to leak or modify responses that victims receive, rather than modifying their requests.

Core Concept

Unlike traditional HTTP Request Smuggling (which modifies the victim's request), Response Smuggling:

  • Sends 2 complete requests to desynchronise the proxy's response queue
  • Steals victim responses (e.g., Set-Cookie headers)
  • Injects attacker-controlled content into victim responses
  • Requires a time-consuming request to create the timing window

When to Use This Skill

Use this skill when:

  • Testing applications with multiple proxies/load balancers in the chain
  • You've identified HTTP Request Smuggling and want to escalate to response attacks
  • You need to steal session cookies or sensitive responses from other users
  • Testing for cache poisoning via response desynchronisation
  • Attempting XSS injection through response manipulation

Prerequisites

  1. HTTP Request Smuggling vulnerability must exist (CL.TE, TE.CL, TE.TE variants)
  2. Proxy chain with at least 2 HTTP proxies/load balancers
  3. Timing window - one request must take longer to process than another

Attack Structure

Basic Exploit Flow

[Attacker] → [Proxy 1] → [Proxy 2] → [Backend]

1. Initial smuggling request (blue) - processed immediately
2. Time-consuming request (yellow) - still processing
3. Victim request arrives - queued after smuggled request
4. Smuggled response sent to victim (or vice versa)

Required Components

  1. Initial smuggling request - Creates the desynchronisation
  2. Time-consuming request - Must take longer than victim request processing
  3. Payload request(s) - Responses that will be sent to victims

Attack Types

1. Capturing Other Users' Requests

Goal: Steal responses meant for other users (e.g., session cookies)

Requirements:

  • Endpoint that reflects parameters in response
  • No persistent storage needed

Payload Structure:

POST /reflected-endpoint HTTP/1.1
Host: target.com
Content-Length: 999999

[reflected parameter]

[Large padding to create timing window]

Flow:

  1. Attacker sends POST with reflected parameter + large Content-Length
  2. Initial request processed, "sleepy" request still processing
  3. Victim request appended to queue after reflected parameter
  4. Victim receives sleepy request response
  5. Attacker sends another request, receives victim's response

2. Response Desynchronisation with HEAD

Goal: Control response body while proxy expects different content

Why HEAD works:

  • HEAD responses contain Content-Length but no body
  • Proxy waits for content that never arrives
  • Next response fills the gap

Payload:

HEAD /target-endpoint HTTP/1.1
Host: target.com
Content-Length: 0

[Additional smuggled request with malicious content]

3. Content Confusion (XSS Injection)

Goal: Inject XSS into pages that aren't directly vulnerable

Technique:

  1. Inject HEAD request with Content-Type: text/html
  2. Inject malicious body in subsequent request
  3. Victim receives response with attacker-controlled body

Example:

HEAD /page HTTP/1.1
Host: target.com
Content-Length: 50

<script>alert('XSS')</script>

4. Cache Poisoning

Goal: Poison cache with malicious responses

Requirements:

  • Cache stores victim's request response
  • Ability to inject response with cache headers

Payload:

[Smuggling request]

GET /cached-endpoint HTTP/1.1
Host: target.com
Cache-Control: public, max-age=3600
Content-Type: text/html

[Malicious XSS payload]

Impact: All subsequent users receive cached malicious response

5. Web Cache Deception

Goal: Cache victim-specific information (e.g., authenticated pages)

Technique:

  1. Desynchronise responses
  2. Make cache store victim's authenticated response
  3. Access cached response without authentication

6. Response Splitting

Goal: Make proxy send 100% attacker-generated response

Requirements:

  • Endpoint reflecting values in response
  • Known Content-Length of HEAD response

Payload Structure:

[Initial smuggling request]

HEAD /endpoint HTTP/1.1
Host: target.com
Content-Length: [known length]

[Second request with reflected data matching HEAD length]

[Third request - completely attacker controlled]

Testing Methodology

Step 1: Confirm HTTP Request Smuggling

First verify basic HTTP Request Smuggling exists:

# Test CL.TE variant
curl -X POST http://target.com/endpoint \
  -H "Content-Length: 5" \
  -H "Transfer-Encoding: chunked" \
  -d "5\r\nX-Y: Z\r\n0\r\n\r\ntest"

# Test TE.CL variant
curl -X POST http://target.com/endpoint \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 5" \
  -d "5\r\ntest\r\n0\r\n\r\n"

Step 2: Identify Time-Consuming Endpoints

Find endpoints that take longer to process:

# Test various endpoints for processing time
for endpoint in /api/search /api/report /api/export /api/generate; do
  time curl -s http://target.com$endpoint -o /dev/null
done

Look for endpoints with:

  • Database queries
  • File processing
  • External API calls
  • Complex computations

Step 3: Craft Response Smuggling Payload

Use the helper script to generate payloads:

python scripts/generate_response_smuggling.py \
  --variant cl-te \
  --sleepy-endpoint /api/slow-query \
  --payload-endpoint /api/reflect \
  --attack-type cache-poisoning

Step 4: Test with Burp Suite

  1. Setup:

    • Enable HTTP Request Smuggling detection in Burp
    • Configure interceptors to capture responses
    • Set up multiple browser sessions (attacker + victim)

  2. Execution:

    • Send initial smuggling request
    • Trigger sleepy request
    • Have victim make request during timing window
    • Capture and analyze responses

  3. Verification:

    • Check if victim received unexpected response
    • Verify attacker received victim's response
    • Confirm cache poisoning if applicable

Detection & Evasion

Signs of Success

  • Victim receives response from different endpoint
  • Attacker receives victim's Set-Cookie headers
  • Cache contains unexpected content
  • Response headers don't match expected endpoint

Common Issues

  1. Timing too short: Increase sleepy request duration
  2. Proxy rejects malformed requests: Adjust Content-Length/Transfer-Encoding
  3. Responses discarded: Ensure proper HTTP formatting
  4. No desynchronisation: Verify proxy chain exists

Evasion Techniques

  • Use realistic Content-Length values
  • Match expected header formats
  • Time requests during low-traffic periods
  • Use legitimate-looking sleepy endpoints

Safety & Ethics

Only test systems you have explicit authorization to test.

  • HTTP Response Smuggling can steal session cookies
  • Cache poisoning affects all users
  • Response splitting can inject arbitrary content
  • These attacks can cause significant damage

References

Helper Scripts

Use the bundled scripts for payload generation:

  • scripts/generate_response_smuggling.py
    - Generate smuggling payloads
  • scripts/analyze_response_timing.py
    - Analyze response timing for sleepy endpoints

Run with 

--help
for usage details.