Smuggling
HTTP Request Smuggling
HTTP request smuggling exploits disagreements between front-end and back-end servers about where one request ends and the next begins. When two servers in a chain parse the same byte stream differently, an attacker can “smuggle” a hidden request past the front-end.
These tests send requests with ambiguous framing — conflicting Content-Length and Transfer-Encoding headers, duplicated values, obfuscated encoding names — and verify the server rejects them outright rather than guessing.
Some tests are unscored (marked with
*). These send payloads where the RFC permits multiple valid interpretations — for example, OWS trimming or case-insensitive TE matching. A 2xx response is RFC-compliant but shown as a warning since stricter rejection is preferred.Server Name
Click to view Dockerfile and source code
Click to view Dockerfile and source code
Table Row
Click to expand all results for that server
Click to expand all results for that server
Result Cell
Click to see the full HTTP request and response
Click to see the full HTTP request and response
Loading...