HTTP Request Smuggling (HRS) is a powerful web application vulnerability that exploits discrepancies in how different servers or intermediaries parse and handle HTTP requests. This misalignment can allow an attacker to “smuggle” a malicious request through a front-end server (such as a load balancer, proxy, or CDN) so that it is interpreted differently by the back-end server.

How HTTP Request Smuggling Works

Modern web applications often rely on chains of intermediaries — proxies, reverse proxies, CDNs, and application servers. These components must all agree on where one HTTP request ends and the next begins. If they disagree, attackers can craft specially malformed requests that cause desynchronization.

Common techniques include:

  • CL.TE (Content-Length vs. Transfer-Encoding): Supplying conflicting headers so that the front-end and back-end use different request boundaries.
  • TE.CL: Reverse order of precedence, confusing intermediaries.
  • TE.TE: Multiple Transfer-Encoding headers to trigger parsing differences.

As a result, an attacker’s hidden request may slip through to the back-end, often piggybacking on a legitimate user’s request.

Potential Impacts

Successful HTTP Request Smuggling can lead to severe exploitation scenarios, including:

  • Cache Poisoning: Injecting malicious content into a shared cache, which is then served to many users.
  • Credential Hijacking: Smuggling requests that steal cookies, tokens, or authentication headers.
  • Cross-User Attacks: Attaching attacker-controlled requests to victims’ sessions.
  • Bypassing Security Controls: Evading firewalls or WAF rules that rely on consistent parsing.

Real-World Example

Consider a proxy that trusts Content-Length while the back-end server prioritizes Transfer-Encoding.

An attacker could send:

POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 13
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: vulnerable.com
  • The proxy interprets this as a harmless empty POST.
  • The back-end sees it as a request smuggling attack and processes the hidden GET /admin.

Mitigation Strategies

Defending against HTTP Request Smuggling requires strict consistency in HTTP request parsing across your infrastructure:

  1. Patch and Update: Ensure all proxies, load balancers, and servers are updated, since many vendors have released fixes.
  2. Normalize Headers: Configure systems to reject requests with both Content-Length and Transfer-Encoding headers.
  3. Disable Legacy Encodings: Disable chunked encoding if not required.
  4. Use a WAF with Smuggling Detection: Modern WAFs may detect suspicious request patterns.
  5. Perform Security Testing: Leverage tools like Burp Suite’s HTTP Desync Scanner to identify risks.

Conclusion

HTTP Request Smuggling is a subtle but highly impactful attack vector that exploits differences in how front-end and back-end systems interpret HTTP requests. By ensuring consistent parsing rules, applying patches, and proactively testing for vulnerabilities, organizations can significantly reduce their risk exposure.