Smuggling
HTTP Request Smuggling
HTTP request smuggling exploits disagreements between front-end and back-end servers about where one request ends and the next begins. When two servers in a chain parse the same byte stream differently, an attacker can “smuggle” a hidden request past the front-end.
These tests send requests with ambiguous framing — conflicting Content-Length and Transfer-Encoding headers, duplicated values, obfuscated encoding names — and verify the server rejects them outright rather than guessing.
Some tests are unscored (marked with
*). These send payloads where the RFC permits multiple valid interpretations — for example, OWS trimming or case-insensitive TE matching. A 2xx response is RFC-compliant but shown as a warning since stricter rejection is preferred.Loading...