cybernetic
← library

Exploit HTTP request smuggling

offensive-request-smugglingskillsetup L22,144
SnailSploit/Claude-Red
What it does

Detect HTTP request smuggling via CL.TE/TE.CL/TE.TE variants

Best for

Bug bounty request smuggling on multi-tier proxies and load balancers (Nginx, HAProxy, AWS ALB)

Inputs
  • · target (proxy/load balancer)
  • · request (timing-based or differential response)
Outputs
  • · desync_proof (unrecognized method error, 504, or delayed response)
  • · impact (cache poison, WAF bypass, credential hijack)
Requires
  • · Burp Suite Repeater or custom threading tool
  • · HTTP proxy
Preconditions

Target uses reverse proxy/CDN (Nginx, HAProxy, ALB), HTTP/1.1 or /2 support, can send raw HTTP

Failure modes
  • · Target normalizes headers (not vulnerable)
  • · Modern WAF blocks CL.TE payloads
  • · Network latency >100ms interferes with timing
  • · HTTP/2 downgrade not supported
Trust signals
  • · CL.TE/TE.CL/TE.TE mechanics explained with sequence diagrams
  • · H2.CL and H2.TE variants documented
  • · Detection tests with time delays and differential responses
  • · Example payloads (GPOST, 5c chunk)