All SkillsGet Started Free
Exploiting HTTP Request Smuggling
Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding parsing discrepancies between front-end and back-end servers.
MCP get_skill({ skillId: "exploiting-http-request-smuggling-06eb79b7" })Use this skill with your agent
Create a free account and connect via MCP
# Exploiting HTTP Request Smuggling
## When to Use
- During authorized penetration tests when the application sits behind a reverse proxy, load balancer, or CDN
- When testing infrastructure with multiple HTTP processors in the request chain (nginx + Apache, HAProxy + Gunicorn)
- For assessing applications for HTTP desynchronization vulnerabilities
- When other attack vectors are limited and you need to bypass front-end security controls
- During security assessments of multi-tier web architectures
## Prerequisites
- **Authorization**: Written penetration testing agreement explicitly covering request smuggling (high-risk test)
- **Burp Suite Professional**: With HTTP Request Smuggler extension (Turbo Intruder)
- **smuggler.py**: Automated HTTP request smuggling detection tool
- **curl**: Compiled with HTTP/1.1 support and manual chunked encoding
- **Target architecture knowledge**: Understanding of proxy/server chain (front-end and back-end)
- **Caution**: Request smuggling can affect other users' requests; test carefully
## Workflow
### Step 1: Identify the HTTP Architecture
Determine the proxy/server chain and HTTP parsing characteristics.
```bash
# Identify front-end proxy/CDN
curl -s -I "https://target.example.com/" | grep -iE \
"(server|via|x-served-by|x-cache|cf-ray|x-amz|x-varnish)"
# Common architectures:
# Cloudflare → Nginx → Application
# AWS ALB → Apache → Application
# HAProxy → Gunicorn → Python app
# Nginx → Node.js/Express
# Akamai → IIS → .NET app
# Check HTTP version support
curl -s -I --http1.1 "https://target.example.com/" | head -1
curl -s -I --http2 "https://target.example.com/" | head -1
# Check if Transfer-Encoding is supported
curl -s -X POST \
-H "Transfer-Encoding: chunked" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "0\r\n\r\n" \
"https://target.example.com/" -w "%{http_code}"
# Check for HTTP/2 downgrade to HTTP/1.1 on backend
# Many CDNs accept HTTP/2 but forward HTTP/1.1 to origin#mukul-cybersecurity-skills#security#cybersecurity#applicationgitpythoncurlburpsuitesmugglerh2csmuggler