HTTP request smuggling¶

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.

HTTP request smuggling remains a critical threat, especially in modern architectures (reverse proxies, CDNs, microservices). Its prevalence is moderate but high-impact when exploited. It can lead to bypassing security controls (WAFs, authentication), hijacking sessions (steal Cookie/Authorization headers), cache poisoning (serving malicious content to users), and credential theft (via smuggled requests to internal APIs).

It is still relevant because more layers (load balancers, API gateways, WAFs) increase parsing inconsistencies, and many servers still mishandle Content-Length vs. Transfer-Encoding conflicts and chunked encoding quirks. And, serverless (AWS Lambda, Cloudflare Workers) introduces new smuggling vectors.

Testing for HTTP Request Smuggling is worth it if the app uses reverse proxies (Nginx, HAProxy, Cloudflare), you notice inconsistent behaviour between frontend/backend servers, and/or the system handles sensitive data (auth headers, APIs, payment flows).