HTTP Request Smuggling
Request smuggling exploits disagreement between a front-end proxy and back-end server about where one request ends and the next begins.
Definition
HTTP request smuggling is the vulnerability that arises when an HTTP front-end (a CDN, a load balancer, a reverse proxy) and a back-end (an application server) parse the boundaries between consecutive requests differently. The attacker sends a single TCP connection that the front-end sees as one request and the back-end sees as two. The "smuggled" tail of the request is processed by the back-end as the start of the next user's request, letting the attacker hijack or poison that user's session.
The bug class came to prominence with PortSwigger's 2019 research, which demonstrated exploitable smuggling against Akamai, CloudFront, Pulse Secure, and dozens of other deployments. The recent reincarnation — TE.0, CL.0, the H2 desync class — keeps the research area active.
How it works
The HTTP/1.1 specification offers two ways to delimit a request body: `Content-Length` and `Transfer-Encoding: chunked`. When both headers are present in conflicting forms, two HTTP implementations may pick different ones. The attacker crafts a request where one implementation treats the body as ending at byte N and the other treats it as ending at byte M > N. The bytes between N and M are appended to the next pipelined request by the second implementation, and so the attacker controls the start of a request that the back-end will service as someone else.
Impact
Request hijacking, cache poisoning, session theft, bypass of front-end security controls (WAFs, auth gateways). On shared-keep-alive deployments, the blast radius is every user routed through the same back-end connection.
Mitigation
Use HTTP/2 end-to-end where possible (chunked-encoding ambiguity is impossible). When HTTP/1.1 is required, terminate every request on the front-end and re-emit a normalised request to the back-end. Reject requests with both `Content-Length` and `Transfer-Encoding` headers, or with malformed chunk delimiters. Keep front-end and back-end on the same parser library where possible.
Examples
- CVE-2019-18860 — HAProxy request-smuggling via ambiguous TE header.
- CVE-2021-33193 — Apache HTTP Server mod_proxy_http smuggling.