pentest-http-smuggling

HTTP request smuggling, desync attacks, cache poisoning, and protocol-level vulnerability testing.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-http-smuggling" with this command: npx skills add jd-opensource/joysafeter/jd-opensource-joysafeter-pentest-http-smuggling

Pentest HTTP Smuggling

Purpose

Detect and exploit discrepancies between front-end proxies and back-end servers in HTTP request parsing. These attacks bypass security controls, poison caches, and hijack requests — entirely absent from standard taint analysis pipelines.

Prerequisites

Authorization Requirements

  • Written authorization with explicit scope for protocol-level testing
  • Infrastructure awareness — identify all reverse proxies, CDNs, load balancers in path
  • Rollback plan for cache poisoning tests (CDN purge access)
  • Emergency contacts for infrastructure team (smuggling can affect other users)

Environment Setup

  • Python 3.x with raw socket capability for crafted HTTP requests
  • Burp Suite Professional with HTTP Request Smuggler extension
  • curl compiled with HTTP/2 support (--http2-prior-knowledge)
  • Turbo Intruder for timing-sensitive attacks
  • Network capture tool (Wireshark/tcpdump) for response analysis

Core Workflow

  1. Stack Fingerprinting: Identify reverse proxies (nginx, HAProxy, Cloudflare, AWS ALB), CDNs, load balancers. Determine HTTP version support (HTTP/1.1, HTTP/2) and parsing behavior.
  2. CL.TE Smuggling: Craft requests where front-end uses Content-Length and back-end uses Transfer-Encoding. Observe differential parsing and request boundary confusion.
  3. TE.CL Smuggling: Reverse scenario — front-end uses Transfer-Encoding, back-end uses Content-Length. Test with obfuscated TE headers.
  4. TE.TE Smuggling: Both sides use Transfer-Encoding but one can be confused with header obfuscation (capitalization, whitespace, duplicate headers).
  5. HTTP/2 Downgrade: Exploit H2-to-H1 translation at reverse proxies. Header injection via pseudo-headers, CRLF injection in H2 headers, request splitting through H2 CONTINUATION frames.
  6. Cache Poisoning: Poison cached responses with attacker-controlled content. Test cache key vs cache content discrepancies. Verify with different client sessions.
  7. Host Header Attacks: Host header injection, password reset poisoning, routing-based SSRF, web cache poisoning via ambiguous Host headers (WSTG-INPV-17).
  8. Impact Validation: Demonstrate cache poisoning, credential theft, request hijacking, or security control bypass as PoC.

WSTG Coverage

WSTG IDTest NameStatus
WSTG-INPV-15HTTP Request Smuggling
WSTG-INPV-17Host Header Injection

Tool Categories

CategoryToolsPurpose
Smuggling Detectionsmuggler.py, HTTP Request Smuggler (Burp)Automated CL.TE/TE.CL detection
HTTP/2 Testingh2csmuggler, curl --http2, nghttpH2 downgrade and desync attacks
Timing AttacksTurbo IntruderMicrosecond-precision request timing
Raw RequestsPython sockets, netcatCrafted malformed HTTP requests
Cache Analysiscurl, custom scriptsCache behavior verification
Traffic CaptureWireshark, tcpdumpResponse boundary analysis

References

  • references/tools.md - Tool function signatures and parameters
  • references/workflows.md - Attack pattern definitions and test vectors

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

pentest-ai-llm-security

No summary provided by upstream source.

Repository SourceNeeds Review
-30
jd-opensource
General

pentest-mobile-app

No summary provided by upstream source.

Repository SourceNeeds Review
-38
jd-opensource
General

pentest-osint-recon

No summary provided by upstream source.

Repository SourceNeeds Review
-38
jd-opensource