HTTP Request Smuggling Research

HTTP Request Smuggling is an advanced technique for attacking websites composed of multiple servers. An attack is launched by sending ambiguous HTTP requests that get interpreted as different lengths by the servers. This causes them to desynchronize, and merge requests and responses from attackers and legitimate users.

This can ultimately lead to a wide range of serious effects. These include letting attackers steal plaintext passwords, and poison caches to persistently compromise critical functionality like login pages. It was first documented in 2004, but largely forgotten until we revisited it in 2019. We built on the existing request smuggling research with modern techniques and tooling, earning six figures in bug bounties along the way.

HTTP Request Smuggling Research

We presented HTTP Desync Attacks: Request Smuggling Reborn at both Black Hat USA and DEF CON. This repopularized the technique, and has since led to a wave of discoveries and patches.

We also released a collection of interactive labs as part of our Web Security Academy, so you can practise applying the techniques to real systems.

Since the publication of our initial request smuggling research, we've issued periodic updates with more novel techniques and tooling for this attack technique.