HTTP Request Smuggler

This extension automatically detects and exploits HTTP Request Smuggling vulnerabilities using advanced desynchronization techniques developed by PortSwigger researcher James Kettle. It supports comprehensive scanning for HTTP/1.1 and HTTP/2-downgrade desync vulnerabilities, client-side desyncs, and connection state attacks.

Version 3.0 landed in 2025 and adds parser discrepancy detection, which bypasses widespread desync defences and makes it significantly more effective. For further information on this, refer to the whitepaper HTTP/1.1 Must Die: The Desync Endgame.

It's fully compatible with Burp Suite DAST, Professional, and Community editions. Pro and Community editions have a "research mode" for exploring novel techniques, and the DAST integration is useful if you want recurring scans to flag novel threats as soon as they're released.

Features

• Detection based on root-cause detection of underlying parsing discrepancies, which is significantly more reliable and resistant to target-specific quirks.
• Many permutation techniques for bypassing different server configurations
• HTTP/1.1 CL.TE and TE.CL desync detection with timeout-based confirmation
• HTTP/2 request smuggling including tunneling and header injection attacks
• Client-side desync detection for browser-powered attacks
• Header smuggling and removal vulnerability detection
• Connection state manipulation and pause-based desync techniques
• Automated exploit generation with Turbo Intruder integration
• False positive reduction through multiple validation techniques

Usage

Right click on a request and click 'Launch Smuggle probe', then watch the extension's output pane. For more advanced use watch the video, and check out the documentation.

Practice

We've also released free online labs to practise against.

Copyright © 2018-2025 PortSwigger Ltd.