hunt-http-smuggling

17. HTTP REQUEST SMUGGLING

Lowest dup rate. $5K–$30K. PortSwigger research by James Kettle.

CL.TE (Content-Length front, Transfer-Encoding back)

POST / HTTP/1.1
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

Detection

1. Burp extension: HTTP Request Smuggler
2. Right-click request → Extensions → HTTP Request Smuggler → Smuggle probe
3. Manual timing: CL.TE probe + ~10s delay = backend waiting for rest of body

Impact Chain

Poison next request → access admin as victim
Steal credentials → capture victim's session
Cache poisoning → stored XSS at scale

Target-Suitability Matrix (2026 reality check)

The classic CL.TE / TE.CL payloads are NOT universally exploitable in 2026. Modern proxies are RFC 9112 strict by default. Fingerprint the front-end BEFORE investing time.

Operator fingerprint quick-check

curl -sI https://target/ | grep -i "Server:"

• nginx/1.21+, Caddy, envoy → CL/TE classic is dead — pivot to H2.CL/H2.TE if the front-end speaks HTTP/2, or look for legacy proxies upstream
• HAProxy, header points to AWS/CDN → run the full payload matrix
• No Server header → assume hardened, but run a single quick space-before-colon probe; if it doesn't 400, dig deeper

H2.CL / H2.TE (the modern dominant vector)

H2-downgrade smuggling attacks rely on the front-end speaking HTTP/2 to the client and HTTP/1.1 to origin. The downgrade introduces CL/TE confusion because HTTP/2's frame-length headers don't survive the conversion cleanly. Most CDN+origin chains in 2024-2026 use this exact topology.

Tools that send HTTP/2 raw frames (Burp Pro's HTTP Request Smuggler extension, h2csmuggler, smuggler.py) are the right starting point against CDN-fronted targets. Avoid HTTP/1.1-only test clients (curl, raw sockets) against H2-front-ended targets — you'll send the wrong protocol entirely.

Related Skills & Chains

• hunt-cache-poison — Smuggling + cache is the canonical critical chain; one smuggled request becomes the cached response for every subsequent victim. Chain primitive: CL.TE smuggle a request whose response body contains attacker HTML/JS → front-end cache stores it under a popular URL (/, /login) → de-sync poisoning where the smuggled request becomes the cached response for the next N victims, persisting for the cache TTL.
• hunt-auth-bypass — Smuggling reaches internal-only routes that the front-end WAF/auth-proxy filters out. Chain primitive: smuggle GET /admin/users HTTP/1.1 past the front-end ACL that blocks external /admin/* → backend processes the smuggled request as if from a trusted internal source → bypass front-end auth by smuggling internal-routed request → admin data in the response queue.
• hunt-idor — Smuggling attaches the NEXT user's session cookies to an attacker-controlled request path. Chain primitive: smuggle GET /api/me HTTP/1.1 with no cookies → backend pairs it with the next legitimate user's incoming connection cookies → victim's session cookie attached to attacker's smuggled request → attacker reads the response containing victim's PII/tokens.
• hunt-xss — Smuggling injects XSS payloads into the response stream of the next victim without ever appearing in a URL parameter. Chain primitive: smuggled request body contains reflected payload that the backend renders into the next response in the queue → next visitor to / receives attacker HTML inline → reflected XSS at every visitor without any URL parameter visible to them or to logs.
• security-arsenal — Reach for the smuggling payload bank (CL.TE / TE.CL / TE.TE obfuscations, H2.CL downgrade probes, h2csmuggler one-liners, Burp HTTP Request Smuggler extension config) and the time-delay confirmation template before manual hex-editing.
• triage-validation — Run the Pre-Severity Gate before claiming Critical: the smuggled-request effect MUST land on a request issued by a different client/session, not your own follow-up. A timing delta in your own browser alone is parser disagreement, not exploitable smuggling.