Awesome-HTTPRequestSmuggling

A curated list of awesome research about HTTP request smuggling attacks. Feel free to contribute! 🍻

Blogs

• HTTP Request Smuggling - The original research by Watchfire
• HTTP Desync Attacks: Request Smuggling Reborn - By James Kettle
• HTTP Desync Attacks: what happened next - By James Kettle
• Breaking the chains on HTTP Request Smuggler - By James Kettle
• h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) - By Jake Miller
• HTTP Desync Attacks with Python and AWS - By Emile Fugulin
• Security: HTTP Smuggling, Apache Traffic Server - By Regileros
• HAProxy HTTP request smuggling (CVE-2019-18277) - By Nathan Davison
• Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
• Desync Mitigation Mode for Amazon AWS Application and Classic Load Balancers
• Protocol Layer Attack - HTTP Request Smuggling - 中文版本
• Integer Overflow Enables HTTP Smuggling in HAProxy
• HTTP-Request-Smuggling slides - A collection of HTTP-Request-Smuggling mutations
• Cache Poisoning at Scale
• Empirical Study of HTTP Request Smuggling in Open-Source Servers and Proxies
• Harvesting Active Directory credentials via HTTP Request Smuggling

Talks

• DEF CON 24 - Hiding Wookiees in HTTP: HTTP smuggling - By regilero
• BH USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door - By James Kettle
• BH USA 2020 - HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges - By Amit Klein
• BH USA 2017 - Web Cache Deception Attack - By Omer Gil
• BH EU 2021 - Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond - By Daniel Thatcher
• Practical Attacks Using HTTP Request Smuggling - By Evan Custodio at NahamCon
• HTTP Request Smuggling via higher HTTP versions - By Emil Lerner at PHDays2021
• HTTP/2: The Sequel is Always Worse - By James Kettle at BHUSA2021
• Response Smuggling: Pwning HTTP 1 1 Connections - By Martin Doyhenard at DEF CON 29
• BH USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - By James Kettle

Tools

• PortSwigger/http-request-smuggler
• defparam/smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
• SafeBreach-Labs/HRS
• regilero/HTTPWookiee - An HTTP server and proxy stress tool (respect of RFC, HTTP Smuggling issues, etc)
• BishopFox/h2csmuggler - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
• aws/http-desync-guardian - Analyze HTTP requests to minimize risks of HTTP Desync attacks
• neex/http2smugl - detects HTTP Request Smuggling that arise during HTTP/2 -> HTTP/1.1 conversion

Bug reports and bounties

• Paypal.com - Stored XSS on paypal.com/signin via cache poisoning. $18,900
• Paypal.com - Bypass for #488147 enables stored XSS on paypal.com/signin again. $20,000
• Slack account takeovers - Mass account takeovers using HTTP Request Smuggling to steal session cookies. $6,500
• Newrelic.com - Password theft login.newrelic.com via Request Smuggling. $3,000
• U.S. Dept Of Defense - Request smuggling on U.S. Dept Of Defense website
• Labs.data.gov - HTTP Request Smuggling on labs.data.gov. $750
• Ruby webrick - Potential HTTP Request Smuggling in ruby webrick. $500
• Cloudflare fixed an HTTP/2 smuggling vulnerability - Cloudflare applies weak validation on HTTP/2 headers. $1000
• Multiple HTTP Smuggling reports - By regilero

Other related attacks

• Host-of-Troubles attacks - Multiple Host header ambiguity to enable cache poisoning and firewall bypass
• BH USA 2020 - You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication - Exploiting email ambiguities to bypass SPF, DKIM, and DMARC authentication