---
name: pentest-http-smuggling
description: HTTP request smuggling, desync attacks, cache poisoning, and protocol-level vulnerability testing.
---

# Pentest HTTP Smuggling

## Purpose
Detect and exploit discrepancies between front-end proxies and back-end servers in HTTP request parsing. These attacks bypass security controls, poison caches, and hijack requests — entirely absent from standard taint analysis pipelines.

## Prerequisites

### Authorization Requirements
- **Written authorization** with explicit scope for protocol-level testing
- **Infrastructure awareness** — identify all reverse proxies, CDNs, load balancers in path
- **Rollback plan** for cache poisoning tests (CDN purge access)
- **Emergency contacts** for infrastructure team (smuggling can affect other users)

### Environment Setup
- Python 3.x with raw socket capability for crafted HTTP requests
- Burp Suite Professional with HTTP Request Smuggler extension
- curl compiled with HTTP/2 support (`--http2-prior-knowledge`)
- Turbo Intruder for timing-sensitive attacks
- Network capture tool (Wireshark/tcpdump) for response analysis

## Core Workflow
1. **Stack Fingerprinting**: Identify reverse proxies (nginx, HAProxy, Cloudflare, AWS ALB), CDNs, load balancers. Determine HTTP version support (HTTP/1.1, HTTP/2) and parsing behavior.
2. **CL.TE Smuggling**: Craft requests where front-end uses Content-Length and back-end uses Transfer-Encoding. Observe differential parsing and request boundary confusion.
3. **TE.CL Smuggling**: Reverse scenario — front-end uses Transfer-Encoding, back-end uses Content-Length. Test with obfuscated TE headers.
4. **TE.TE Smuggling**: Both sides use Transfer-Encoding but one can be confused with header obfuscation (capitalization, whitespace, duplicate headers).
5. **HTTP/2 Downgrade**: Exploit H2-to-H1 translation at reverse proxies. Header injection via pseudo-headers, CRLF injection in H2 headers, request splitting through H2 CONTINUATION frames.
6. **Cache Poisoning**: Poison cached responses with attacker-controlled content. Test cache key vs cache content discrepancies. Verify with different client sessions.
7. **Host Header Attacks**: Host header injection, password reset poisoning, routing-based SSRF, web cache poisoning via ambiguous Host headers (WSTG-INPV-17).
8. **Impact Validation**: Demonstrate cache poisoning, credential theft, request hijacking, or security control bypass as PoC.

## WSTG Coverage

| WSTG ID | Test Name | Status |
|---------|-----------|--------|
| WSTG-INPV-15 | HTTP Request Smuggling | ✅ |
| WSTG-INPV-17 | Host Header Injection | ✅ |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Smuggling Detection | smuggler.py, HTTP Request Smuggler (Burp) | Automated CL.TE/TE.CL detection |
| HTTP/2 Testing | h2csmuggler, curl --http2, nghttp | H2 downgrade and desync attacks |
| Timing Attacks | Turbo Intruder | Microsecond-precision request timing |
| Raw Requests | Python sockets, netcat | Crafted malformed HTTP requests |
| Cache Analysis | curl, custom scripts | Cache behavior verification |
| Traffic Capture | Wireshark, tcpdump | Response boundary analysis |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors