HTTP request smuggling

HTTP request smuggling is the process of confusing a webserver to accept multiple request at once, as the server is only able to answer the first request the second is held until another request comes in. When an unsuspecting user makes a normal request if a smuggled request is already waiting on the webserver this may be returned instead.

How does HTTP smuggling work

I've provided a sample request below, you'll be able to see there its like 2 requests in one.

POST /post/comment HTTP/2.0
Host: vulnerable-site.com
Transfer-Encoding: chunked
Content-Length: 4


1
a
GET /404 HTTP/2.0
Host: dangerous-site.com

So lets break down whats happening here, if you look at the original request you can see the document we're looking for and the domain we're visiting. After this you'll be able to see two headers `Transfer-Encoding` and `Content-Length`, on vulnerable websites when these two headers are provided it can confuse the different systems which are in use and allow an additional request to be smuggled in, hence the name HTTP smuggling.

So, what are the implications of of HTTP smuggling? In the example we've given when an unsuspecting user visits the website after the smuggled request has been sent, rather than receiving the page intended they will be redirected to the malicious website where an attacker could be hosting harmful content.

 

Make a suggestion +

Notice something not quite right? That's fine we're not perfect. Why not make a suggestion on our community forum, you should be able to see the correct formatting below.

Page Title:
Suggestion/Improvement:
Make suggestion

Still need help?

Are you having trouble using arctil? Why not try reaching out to our Community Forum.

Alternatively, you can try contacting us through the Contact page.