← ClaudeAtlas

hunt-http-smugglinglisted

Hunt HTTP request smuggling (CL.TE, TE.CL, H2.CL, H2.TE). Cause: front-end proxy and back-end server disagree on where one request ends and the next begins (Content-Length vs Transfer-Encoding header parsing inconsistency). CL.TE: front-end uses CL, back uses TE → smuggle by sending TE: chunked but with body that fits CL count. TE.CL: opposite. H2.CL: HTTP/2 downgrade, smuggle CL into HTTP/1.1 back-end. Detection tools: Burp HTTP Request Smuggler extension, smuggler.py, h2csmuggler. Confirm: time-delay technique (smuggled GET with 30s timeout) — if front-end returns slow on next victim request, smuggling works. Validate: cache poisoning chain (smuggle request that gets cached for victim), credential theft (smuggle X-Forwarded-For override that captures next user's cookies), bypass auth (smuggled internal-path request). Real paid examples from major CDN deployments. Use when hunting H1 paid programs running CDN+origin stacks, when targeting load balancer / WAF bypass.
elementalsouls/Claude-BugHunter · ★ 1,478 · AI & Automation · score 83
Install: claude install-skill elementalsouls/Claude-BugHunter
## 17. HTTP REQUEST SMUGGLING > Lowest dup rate. $5K–$30K. PortSwigger research by James Kettle. ### CL.TE (Content-Length front, Transfer-Encoding back) ```http POST / HTTP/1.1 Content-Length: 13 Transfer-Encoding: chunked 0 SMUGGLED ``` ### Detection ``` 1. Burp extension: HTTP Request Smuggler 2. Right-click request → Extensions → HTTP Request Smuggler → Smuggle probe 3. Manual timing: CL.TE probe + ~10s delay = backend waiting for rest of body ``` ### Impact Chain ``` Poison next request → access admin as victim Steal credentials → capture victim's session Cache poisoning → stored XSS at scale ``` --- ## Target-Suitability Matrix (2026 reality check) The classic CL.TE / TE.CL payloads are NOT universally exploitable in 2026. Modern proxies are RFC 9112 strict by default. Fingerprint the front-end BEFORE investing time. | Front-end | CL.TE | TE.CL | H2.CL | H2.TE | Notes | |---|---|---|---|---|---| | **Nginx ≥ 1.21** | NO | NO | partial (H2 ingress) | partial | RFC-strict; rejects CL+TE with HTTP 400. Verified locally on Nginx 1.27 — all 9 documented variants killed by front-end ([docs/verification/phase2h-smuggling-cachepoison.md](../../docs/verification/phase2h-smuggling-cachepoison.md)). | | **Caddy 2.x** | NO | NO | — | — | Hardened by default | | **Envoy ≥ 1.20** | NO | NO | partial | partial | Hardened in most paths | | **HAProxy ≤ 2.4** | ✓ | ✓ | — | — | **Vulnerable**, see CVE-2021-40346 | | **AWS ALB + specific upstream** | partial | partial | ✓ | ✓ | Sev