Prevention
Tools of the Trade
HTTP Request Smuggler (Burp Extension)
The primary tool for identifying and exploiting HTTP request smuggling vulnerabilities.
Installation
Open Burp Suite
Go to Extensions tab
Click BApp Store
Search for "HTTP Request Smuggler"
Click Install
Using HTTP Request Smuggler
Feature 1: Convert to Chunked Encoding
Automatically converts request body to chunked format with correct hex chunk sizes.
Before Conversion
How to Convert
Send request to Burp Repeater
Right-click request
Extensions β HTTP Request Smuggler β Convert to chunked
After Conversion
Note:
11hex = 17 decimal (length ofparam1=HelloWorld)
Feature 2: Automated Smuggle Attacks
Launch Attack
Format request in chunked encoding
Right-click request
Extensions β HTTP Request Smuggler β Choose attack type:
Smuggle attack (CL.TE)
Smuggle attack (TE.CL)
Turbo Intruder Window
Opens with pre-configured attack script.
Customize the prefix (smuggled request):
Running the Attack
Modify prefix as needed
Click Attack button
Wait for iterations (sends every ~1 second)
Click Halt to stop
Analyze response lengths
Interpreting Results
1
4618
Normal index response
2
Different
Smuggled request response!
3+
4618
Normal responses
Different response length on request 2 = Vulnerability confirmed!
Customizing Turbo Intruder Script
Default Script Structure
Modifications
Different smuggled path
Edit prefix variable
Add headers to smuggled
Add to prefix string
Change timing
Modify time.sleep(1)
More iterations
Change range(30)
Add POST body
Include in prefix
Example: Smuggled POST with Cookie
Other Useful Tools
smuggler.py
Python-based automated scanner.
h2csmuggler
HTTP/2 cleartext smuggling tool.
Manual Testing (Burp Repeater)
For precise control:
Disable "Update Content-Length"
Create tab groups
Send in sequence (single connection)
HTTP Request Smuggling Prevention
Why Prevention is Difficult
Server-level bugs
Vulnerabilities in web server software, not application
Hidden behavior
Developers unaware of underlying quirks
Architecture complexity
Multiple systems parsing same requests
Legacy support
HTTP/1.1 specification ambiguities
Prevention Recommendations
1. Keep Software Updated
Why: Most smuggling bugs are fixed in patches.
2. Patch "Unexploitable" Vulnerabilities
Why: Request smuggling can weaponize otherwise unexploitable bugs.
3. Configure Connection Handling
Why: Prevents desync from propagating to other requests.
4. Use HTTP/2 End-to-End
Why: HTTP/2 uses binary framing, eliminating CL/TE ambiguity.
Server-Specific Hardening
Nginx
Apache
HAProxy
Architecture Best Practices
Use Same Software Stack
Normalize Requests at Edge
Monitor for Anomalies
Detection Checklist
Both CL and TE present
Block or normalize
CL with chunked body
Block
Multiple CL headers
Block
Multiple TE headers
Block
Malformed TE values
Block
Unusual whitespace in headers
Block
HTTP/2 Benefits
HTTP/2 eliminates request smuggling because:
Text-based parsing
Binary framing
CL/TE ambiguity
Stream-based length
Connection reuse issues
Multiplexed streams
Header manipulation
HPACK compression
However: Be cautious of HTTP/2 β HTTP/1.1 downgrades at reverse proxy!
Summary
Tools Quick Reference
HTTP Request Smuggler
Burp extension for auto-exploitation
Turbo Intruder
Automated timing attacks
smuggler.py
Python scanner
h2csmuggler
HTTP/2 smuggling
Prevention Priority
π Update all proxy/server software
π Patch all vulnerabilities (even "unexploitable" ones)
β οΈ Configure strict error handling
π Upgrade to HTTP/2 where possible
References
Last updated