pentest-http-smuggling
maintained by jd-opensource
star
164
account_tree
31
verified_user
MIT License
name: pentest-http-smuggling description: HTTP request smuggling, desync attacks, cache poisoning, and protocol-level vulnerability testing.
Pentest HTTP Smuggling
Purpose
Detect and exploit discrepancies between front-end proxies and back-end servers in HTTP request parsing. These attacks bypass security controls, poison caches, and hijack requests — entirely absent from standard taint analysis pipelines.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for protocol-level testing
- Infrastructure awareness — identify all reverse proxies, CDNs, load balancers in path
- Rollback plan for cache poisoning tests (CDN purge access)
- Emergency contacts for infrastructure team (smuggling can affect other users)
Environment Setup
- Python 3.x with raw socket capability for crafted HTTP requests
- Burp Suite Professional with HTTP Request Smuggler extension
- curl compiled with HTTP/2 support (
--http2-prior-knowledge) - Turbo Intruder for timing-sensitive attacks
- Network capture tool (Wireshark/tcpdump) for response analysis
Core Workflow
- Stack Fingerprinting: Identify reverse proxies (nginx, HAProxy, Cloudflare, AWS ALB), CDNs, load balancers. Determine HTTP version support (HTTP/1.1, HTTP/2) and parsing behavior.
- CL.TE Smuggling: Craft requests where front-end uses Content-Length and back-end uses Transfer-Encoding. Observe differential parsing and request boundary confusion.
- TE.CL Smuggling: Reverse scenario — front-end uses Transfer-Encoding, back-end uses Content-Length. Test with obfuscated TE headers.
- TE.TE Smuggling: Both sides use Transfer-Encoding but one can be confused with header obfuscation (capitalization, whitespace, duplicate headers).
- HTTP/2 Downgrade: Exploit H2-to-H1 translation at reverse proxies. Header injection via pseudo-headers, CRLF injection in H2 headers, request splitting through H2 CONTINUATION frames.
- Cache Poisoning: Poison cached responses with attacker-controlled content. Test cache key vs cache content discrepancies. Verify with different client sessions.
- Host Header Attacks: Host header injection, password reset poisoning, routing-based SSRF, web cache poisoning via ambiguous Host headers (WSTG-INPV-17).
- Impact Validation: Demonstrate cache poisoning, credential theft, request hijacking, or security control bypass as PoC.
WSTG Coverage
| WSTG ID | Test Name | Status |
|---|---|---|
| WSTG-INPV-15 | HTTP Request Smuggling | ✅ |
| WSTG-INPV-17 | Host Header Injection | ✅ |
Tool Categories
| Category | Tools | Purpose |
|---|---|---|
| Smuggling Detection | smuggler.py, HTTP Request Smuggler (Burp) | Automated CL.TE/TE.CL detection |
| HTTP/2 Testing | h2csmuggler, curl --http2, nghttp | H2 downgrade and desync attacks |
| Timing Attacks | Turbo Intruder | Microsecond-precision request timing |
| Raw Requests | Python sockets, netcat | Crafted malformed HTTP requests |
| Cache Analysis | curl, custom scripts | Cache behavior verification |
| Traffic Capture | Wireshark, tcpdump | Response boundary analysis |
References
-
references/tools.md- Tool function signatures and parameters -
references/workflows.md- Attack pattern definitions and test vectors
chat Comments (0)
Sign in to join the discussion and leave a comment.
Skill Details
GitHub Stars
164
GitHub Forks
31
Created
Mar 2026
Last Updated
3 months ago
tools
tools debugging
Related Skills
Build your own?
Join 12,000+ developers contributing to the Claude ecosystem.
No comments yet. Be the first to share your thoughts!