HTTP Request Smuggling

Also known as: HRS, Request smuggling

An attack that exploits disagreements between a front-end proxy and a back-end server on how an HTTP request ends, so an attacker can sneak a hidden second request through.

HTTP request smuggling abuses inconsistent parsing of the Content-Length and Transfer-Encoding headers (CL.TE, TE.CL, TE.TE) between intermediaries such as load balancers, CDNs, reverse proxies and origin servers. By crafting an ambiguous request, the attacker makes the front end and back end disagree on where the message ends, allowing a smuggled request to be processed in the context of another user's connection. Consequences include cache poisoning, credential theft, bypass of WAFs, and account takeover. Defences include normalising or rejecting ambiguous requests, using HTTP/2 end-to-end, keeping front-end and back-end implementations aligned, and applying vendor patches.

Examples

CL.TE smuggling against a CDN/back-end pair where the CDN uses Content-Length and the origin uses Transfer-Encoding.
Smuggled POST request stealing the next user's Authorization header from a shared keep-alive connection.

HTTP Request Smuggling

Examples

Related terms

HTTP Response Splitting

HTTP Desync Attack

Cache Poisoning

Web Cache Deception

Reverse Proxy

Definition

Examples

Related terms

HTTP Response Splitting

HTTP Desync Attack

Cache Poisoning

Web Cache Deception

Reverse Proxy