HTTP Request Smuggling

What Is HTTP Request Smuggling?

HTTP Request Smuggling (also called HTTP Desync) exploits ambiguity in how HTTP/1.1 defines request boundaries. When a frontend proxy (nginx, Cloudflare, AWS ALB) and a backend server disagree on where one request ends and the next begins, an attacker can "smuggle" a hidden request past the frontend and have it prepended to another user's legitimate request.

The vulnerability exists in the gap between two HTTP headers that both define body length: Content-Length and Transfer-Encoding: chunked.

How It Works

CL.TE Attack

The frontend uses Content-Length, the backend uses Transfer-Encoding:

POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked
 
0
 
SMUGGLED

The frontend sees Content-Length: 13 and forwards the full body. The backend processes the chunked body ending at 0\r\n\r\n, then treats SMUGGLED as the start of the next request — which gets prepended to the next user's request.

TE.CL Attack

The frontend uses Transfer-Encoding, the backend uses Content-Length:

POST / HTTP/1.1
Host: target.com
Content-Length: 3
Transfer-Encoding: chunked
 
8
SMUGGLED
0

Practical Exploit — Session Hijacking

An attacker smuggles a request that captures the next victim's request body:

POST /search HTTP/1.1
Content-Length: 166
Transfer-Encoding: chunked
 
0
 
POST /store-search HTTP/1.1
Content-Length: 900
...

The victim's next request (including their cookies and session token) gets appended to the smuggled POST body, which the attacker then reads.

Real-World Impact

• Session hijacking — steal session tokens from other users' in-flight requests
• WAF bypass — the smuggled request bypasses WAF rules applied only by the frontend
• Cache poisoning — poison shared caches to serve malicious responses to all users
• Credential theft — capture login requests with username and password
• Privilege escalation — deliver requests as if from a trusted internal source

How to Fix

Normalize all requests at the edge:

# nginx — reject ambiguous requests
proxy_http_version 1.1;
proxy_request_buffering on;

Use HTTP/2 end-to-end — HTTP/2 doesn't use the CL/TE ambiguity.

Configure backend to reject Transfer-Encoding if frontend doesn't use it:

Most modern frameworks (FastAPI, Express, Rails) handle this automatically when deployed correctly. The issue arises in misconfigured reverse proxy chains.

Cloudflare / AWS WAF: Enable "HTTP DeSynch Attack Protection" in WAF settings.

Test your stack with a known-safe tool like Burp Suite's HTTP Request Smuggler.

What VibeWShield Detects

VibeWShield's Request Smuggling scanner activates when a reverse proxy or CDN is detected (CF-Ray, Via, X-Cache headers). It tests:

• CL.TE — timing oracle (≥4s delay indicates smuggled body buffering)
• TE.CL — chunked body with mismatched Content-Length
• CL.0 — Content-Length: 0 with non-empty body

Confirmed findings are flagged as Critical with the exact payload and timing evidence.