Awesome-HTTPRequestSmuggling 
A curated list of awesome research about HTTP request smuggling attacks. Feel free to contribute!
π»
Blogs
- HTTP Request Smuggling - The original research by Watchfire
- HTTP Desync Attacks: Request Smuggling Reborn - By James Kettle
- HTTP Desync Attacks: what happened next - By James Kettle
- Breaking the chains on HTTP Request Smuggler - By James Kettle
- h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) - By Jake Miller
- HTTP Desync Attacks with Python and AWS - By Emile Fugulin
- Security: HTTP Smuggling, Apache Traffic Server - By Regileros
- HAProxy HTTP request smuggling (CVE-2019-18277) - By Nathan Davison
- Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
- Desync Mitigation Mode for Amazon AWS Application and Classic Load Balancers
- Protocol Layer Attack - HTTP Request Smuggling - δΈζηζ¬
- Integer Overflow Enables HTTP Smuggling in HAProxy
- HTTP-Request-Smuggling slides - A collection of HTTP-Request-Smuggling mutations
- Cache Poisoning at Scale
- Empirical Study of HTTP Request Smuggling in Open-Source Servers and Proxies
- Harvesting Active Directory credentials via HTTP Request Smuggling
Talks
- DEF CON 24 - Hiding Wookiees in HTTP: HTTP smuggling - By regilero
- BH USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door - By James Kettle
- BH USA 2020 - HTTP Request Smuggling in 2020 β New Variants, New Defenses and New Challenges - By Amit Klein
- BH USA 2017 - Web Cache Deception Attack - By Omer Gil
- BH EU 2021 - Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond - By Daniel Thatcher
- Practical Attacks Using HTTP Request Smuggling - By Evan Custodio at NahamCon
- HTTP Request Smuggling via higher HTTP versions - By Emil Lerner at PHDays2021
- HTTP/2: The Sequel is Always Worse - By James Kettle at BHUSA2021
- Response Smuggling: Pwning HTTP 1 1 Connections - By Martin Doyhenard at DEF CON 29
- BH USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - By James Kettle
Tools
- PortSwigger/http-request-smuggler
- defparam/smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
- SafeBreach-Labs/HRS
- regilero/HTTPWookiee - An HTTP server and proxy stress tool (respect of RFC, HTTP Smuggling issues, etc)
- BishopFox/h2csmuggler - HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
- aws/http-desync-guardian - Analyze HTTP requests to minimize risks of HTTP Desync attacks
- neex/http2smugl - detects HTTP Request Smuggling that arise during HTTP/2 -> HTTP/1.1 conversion
Bug reports and bounties
- Paypal.com - Stored XSS on paypal.com/signin via cache poisoning. $18,900
- Paypal.com - Bypass for #488147 enables stored XSS on paypal.com/signin again. $20,000
- Slack account takeovers - Mass account takeovers using HTTP Request Smuggling to steal session cookies. $6,500
- Newrelic.com - Password theft login.newrelic.com via Request Smuggling. $3,000
- U.S. Dept Of Defense - Request smuggling on U.S. Dept Of Defense website
- Labs.data.gov - HTTP Request Smuggling on labs.data.gov. $750
- Ruby webrick - Potential HTTP Request Smuggling in ruby webrick. $500
- Cloudflare fixed an HTTP/2 smuggling vulnerability - Cloudflare applies weak validation on HTTP/2 headers. $1000
- Multiple HTTP Smuggling reports - By regilero
Other related attacks
- Host-of-Troubles attacks - Multiple Host header ambiguity to enable cache poisoning and firewall bypass
- BH USA 2020 - You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication - Exploiting email ambiguities to bypass SPF, DKIM, and DMARC authentication