Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

HTTP request smuggling: exploiting proxy disagreements

HTTP request smuggling exploits an ambiguity in the HTTP 1.1 specification regarding request delimitation. In HTTP 1.1, two headers can indicate request body length: Content-Length (length in bytes) and Transfer-Encoding: chunked (length in chunks). If the frontend proxy and backend server interpret differently which takes priority, the attacker can craft an ambiguous request.

The CL.TE and TE.CL variants

CL.TE: the proxy reads Content-Length, the backend reads Transfer-Encoding. The proxy forwards the request based on Content-Length, but the backend interprets the body as chunks. The part of the body ignored by the proxy is prepended to the backend's next request. TE.CL: the reverse. The proxy reads Transfer-Encoding, the backend reads Content-Length.

Simplified CL.TE request

POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 13
Transfer-Encoding: chunked

0

GET /admin

Impacts

The impacts of successful exploitation are varied and can be severe. Bypassing security controls: the proxy implements rules (WAF, access control) the backend won't see for the smuggled request. Poisoning other users' requests: the smuggled request is prepended to another user's connection, allowing capture of their data or redirecting them. Web cache poisoning. Access to internal endpoints normally filtered by the proxy.

Prevention

Prevention measures act on processing consistency between components. Use HTTP/2 end-to-end (HTTP/2 doesn't have this problem as it uses a different framing mechanism). If HTTP/1.1 is required, normalise requests at the proxy level (reject requests with both headers, or remove one of them). Ensure the proxy and backend use the same HTTP implementation or at least the same priority between the two headers. Disable backend connection reuse if possible.

Detection tool: the Burp Suite HTTP Request Smuggler extension automates detection of CL.TE, TE.CL, and TE.TE variants. James Kettle (PortSwigger Research) has published detailed research on this vulnerability class.

A question after reading?

Does your infrastructure use a proxy or load balancer in front of your server? Send a message.

Or book a 30-minute scoping call directly

Book a call