cyberneticlibrary
← library

Hunt HTTP request smuggling attacks

hunt-http-smugglingskillsetup L11,791
elementalsouls/Claude-BugHunter
What it does

Detect HTTP/1.1 and HTTP/2 request smuggling (CL.TE, TE.CL, H2.CL, H2.TE desync)

Best for

Bug bounty hunters on older deployments (HAProxy <2.4, legacy F5, Citrix ADC) or AWS ALB+origin chains with H2 downgrade.

Inputs
  • · target reverse-proxy or load-balancer (fronting origin)
  • · HTTP/2 or HTTP/1.1 endpoint
Outputs
  • · smuggling vulnerability confirmed (timing delay or cache poison)
  • · next-user request smuggled
  • · auth bypass via internal-path injection
Requires
  • · Burp HTTP Request Smuggler extension
  • · smuggler.py
  • · h2csmuggler
  • · curl --http2-prior-knowledge
Preconditions
  • · front-end and back-end use different HTTP versions OR differ on CL/TE parsing
Failure modes
  • · both tiers RFC 9112 strict (Nginx 1.21+, Caddy, Envoy hardened)
  • · rate limiting enforces serialization
  • · request smuggling is DoS-only (no auth bypass)
Trust signals
  • · 2026 target-suitability matrix showing which proxies are still vulnerable
  • · Real paid reports 2022-2024 from CDN chains
  • · Cites PortSwigger research (Kettle)