exploiting-http-request-smuggling

# Exploiting HTTP Request Smuggling ## When to Use - During authorized penetration tests when the application sits behind a reverse proxy, load balancer, or CDN - When testing infrastructure with multiple HTTP processors in the request chain (nginx + Apache, HAProxy + Gunicorn) - For assessing applications for HTTP desynchronization vulnerabilities - When other attack vectors are limited and you need to bypass front-end security controls - During security assessments of multi-tier web architectures ## Prerequisites - **Authorization**: Written penetration testing agreement explicitly covering request smuggling (high-risk test) - **Burp Suite Professional**: With HTTP Request Smuggler extension (Turbo Intruder) - **smuggler.py**: Automated HTTP request smuggling detection tool - **curl**: Compiled with HTTP/1.1 support and manual chunked encoding - **Target architecture knowledge**: Understanding of proxy/server chain (front-end and back-end) - **Caution**: Request smuggling can affect other users' requests; test carefully ## Workflow ### Step 1: Identify the HTTP Architecture Determine the proxy/server chain and HTTP parsing characteristics. ```bash # Identify front-end proxy/CDN curl -s -I "https://target.example.com/" | grep -iE \ "(server|via|x-served-by|x-cache|cf-ray|x-amz|x-varnish)" # Common architectures: # Cloudflare → Nginx → Application # AWS ALB → Apache → Application # HAProxy → Gunicorn → Python app # Nginx → Node.js/Express # Akamai → IIS → .NET app ...