Uncovering HTTP Request Smuggling: Techniques, Exploits, and Defenses

Recently I have been researching interesting attack methods. While browsing local PDFs I found a 2019 Black Hat talk on HTTP request smuggling, which was revisited at Black Hat 2020. This sparked my interest and led to the creation of this article.

What Is HTTP Request Smuggling?

HTTP request smuggling is an attack that exploits inconsistencies in how HTTP servers and proxies parse HTTP messages. When a proxy chain contains servers that implement the HTTP specifications differently, a crafted request can be interpreted as two separate requests, allowing an attacker to “smuggle” a hidden request past the front‑end server.

Historical Timeline

2004 – Amit Klein introduced HTTP Response Splitting, the early form of request smuggling. 2005 – The technique was first described in detail by Watchfire. 2016 – Regilero expanded the concept at DEFCON 24 with the talk “Hiding Wookiees in HTTP”. 2019 – James Kettle (PortSwigger) presented “HTTP DESYNC ATTACKS SMASHING INTO THE CELL NEXT DOOR” at Black Hat USA, adding chunked encoding to the attack surface. 2020 – Amit Klein revisited the topic at Black Hat USA with “HTTP Request Smuggling in 2020”, describing new variants.

Why the Attack Is Not Obvious

Unlike classic web attacks, request smuggling relies on the fact that different servers follow different RFC interpretations when handling HTTP messages. The attack becomes possible in complex network environments where reverse proxies, load balancers, and back‑end servers interact.

Key HTTP/1.1 Features

Understanding HTTP/1.1 Keep‑Alive and pipelining is essential.

In HTTP/1.0 each request required a new TCP three‑way handshake. HTTP/1.1 introduced persistent connections (Keep‑Alive) and the ability to pipeline multiple requests without waiting for each response, improving performance.

With pipelining, the client can send several requests in succession; the server processes them FIFO.

Typical Deployment Scenario

Most modern services use CDNs or load balancers in front of back‑end servers. Static resources are served directly from the CDN, while dynamic requests travel through a reverse proxy to the back‑end.

In this model the reverse proxy often reuses TCP connections with the back‑end, while many client connections terminate at the proxy.

How Inconsistent RFC Implementations Lead to Smuggling

When a client sends a request that is ambiguous—e.g., containing both Content‑Length and Transfer‑Encoding: chunked —different servers may choose different parsing rules. The front‑end may honor Content‑Length while the back‑end prefers the chunked length, causing the request body to be split and the trailing part to be interpreted as a new request.

Chunked Transfer Encoding

Chunked encoding allows an HTTP message body to be sent in a series of chunks, each preceded by its size in hexadecimal. The end of the body is signaled by a zero‑length chunk.

When a server does not support chunked encoding, the attacker can combine Content‑Length and Transfer‑Encoding to create a CL‑TE or TE‑CL smuggling vector.

Packet Construction Examples

Simple GET Smuggling (CL‑TE)

1 GET / HTTP/1.1
2 Host: example.com
3 Content-Length: 44

5 GET /secret HTTP/1.1
6 Host: example.com

Because the front‑end ignores Content‑Length for GET requests, the pipeline treats the whole payload as two separate GET requests, achieving smuggling.

Two Content‑Length Headers

1 POST / HTTP/1.1
2 Host: example.com
3 Content-Length: 8
4 Content-Length: 7

5 12345
6 a

The front‑end may use the first length (8) while the back‑end uses the second (7). The extra byte “a” becomes the start of the next request, e.g., aGET / HTTP/1.1, causing a malformed request.

CL‑TE Combination

1 POST / HTTP/1.1
2 Host: example.com
3 User-Agent: Mozilla/5.0 ...
4 Accept: text/html,...
5 Accept-Language: en-US,en;q=0.5
6 Connection: keep-alive
7 Content-Length: 6
8 Transfer-Encoding: chunked

0

G

The back‑end processes the chunked body, while the front‑end stops at the Content‑Length, leaving “G” to be interpreted as the start of a new request.

Obfuscating Transfer‑Encoding Header

1 POST / HTTP/1.1
2 Host: example.com
3 Content-length: 4
4 Transfer-Encoding: chunked
5 Transfer-encoding: cow

5c
GPOST / HTTP/1.1
6 Content-Type: application/x-www-form-urlencoded
7 Content-Length: 15

x=1
0

By adding a bogus Transfer‑encoding: cow header, the front‑end may ignore the legitimate chunked encoding, while the back‑end still parses the chunked body, resulting in smuggling.

PortSwigger Lab Demonstrations

The following labs illustrate real‑world exploitation of request smuggling.

Lab: Bypass front‑end controls (CL‑TE) – smuggle a request to /admin and delete user carlos.

Lab: Reveal front‑end added header – capture the custom IP header and use it to access the admin panel.

Lab: Capture other users' requests – smuggle a request that stores the next victim's request, then reuse the captured cookies.

Lab: Web cache poisoning via request smuggling – inject a malicious JavaScript redirect that triggers alert(document.cookie).

Defensive Measures

Disable TCP connection reuse between front‑end and back‑end.

Adopt HTTP/2, which eliminates the ambiguous parsing of HTTP/1.1.

Ensure front‑end and back‑end use the same HTTP implementation.

These mitigations face practical challenges: HTTP/2 rollout is slow, disabling TCP reuse increases load, and unifying server implementations is often impossible due to vendor differences.

Practical Mitigation: Cloud Services

Moving to cloud‑based infrastructure (cloud VMs, CDNs, WAFs) provides a unified implementation of HTTP parsing, greatly reducing the risk of request smuggling.

* https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Regilero-Hiding-Wookiees-In-Http.pdf * https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn * https://regilero.github.io/english/security/2019/10/17/securityapachetrafficserverhttp_smuggling/ * https://paper.seebug.org/1048 * https://tools.ietf.org/html/rfc2616 * http://blog.zeddyu.info/2019/12/05/HTTP-Smuggling/ * https://tools.ietf.org/html/rfc7230 * https://tools.ietf.org/html/rfc7231