Skills
skills/jd-opensource/joysafeter/pentest-http-smuggling

pentest-http-smuggling

SKILL.md

Pentest HTTP Smuggling

Purpose

Detect and exploit discrepancies between front-end proxies and back-end servers in HTTP request parsing. These attacks bypass security controls, poison caches, and hijack requests — entirely absent from standard taint analysis pipelines.

Prerequisites

Authorization Requirements

  • Written authorization with explicit scope for protocol-level testing
  • Infrastructure awareness — identify all reverse proxies, CDNs, load balancers in path
  • Rollback plan for cache poisoning tests (CDN purge access)
  • Emergency contacts for infrastructure team (smuggling can affect other users)

Environment Setup

  • Python 3.x with raw socket capability for crafted HTTP requests
  • Burp Suite Professional with HTTP Request Smuggler extension
  • curl compiled with HTTP/2 support (--http2-prior-knowledge)
  • Turbo Intruder for timing-sensitive attacks
  • Network capture tool (Wireshark/tcpdump) for response analysis

Core Workflow

  1. Stack Fingerprinting: Identify reverse proxies (nginx, HAProxy, Cloudflare, AWS ALB), CDNs, load balancers. Determine HTTP version support (HTTP/1.1, HTTP/2) and parsing behavior.
  2. CL.TE Smuggling: Craft requests where front-end uses Content-Length and back-end uses Transfer-Encoding. Observe differential parsing and request boundary confusion.
  3. TE.CL Smuggling: Reverse scenario — front-end uses Transfer-Encoding, back-end uses Content-Length. Test with obfuscated TE headers.
  4. TE.TE Smuggling: Both sides use Transfer-Encoding but one can be confused with header obfuscation (capitalization, whitespace, duplicate headers).
  5. HTTP/2 Downgrade: Exploit H2-to-H1 translation at reverse proxies. Header injection via pseudo-headers, CRLF injection in H2 headers, request splitting through H2 CONTINUATION frames.
  6. Cache Poisoning: Poison cached responses with attacker-controlled content. Test cache key vs cache content discrepancies. Verify with different client sessions.
  7. Host Header Attacks: Host header injection, password reset poisoning, routing-based SSRF, web cache poisoning via ambiguous Host headers (WSTG-INPV-17).
  8. Impact Validation: Demonstrate cache poisoning, credential theft, request hijacking, or security control bypass as PoC.

WSTG Coverage

WSTG ID Test Name Status
WSTG-INPV-15 HTTP Request Smuggling
WSTG-INPV-17 Host Header Injection

Tool Categories

Category Tools Purpose
Smuggling Detection smuggler.py, HTTP Request Smuggler (Burp) Automated CL.TE/TE.CL detection
HTTP/2 Testing h2csmuggler, curl --http2, nghttp H2 downgrade and desync attacks
Timing Attacks Turbo Intruder Microsecond-precision request timing
Raw Requests Python sockets, netcat Crafted malformed HTTP requests
Cache Analysis curl, custom scripts Cache behavior verification
Traffic Capture Wireshark, tcpdump Response boundary analysis

References

  • references/tools.md - Tool function signatures and parameters
  • references/workflows.md - Attack pattern definitions and test vectors
Weekly Installs
21
Repository
jd-opensource/joysafeter
GitHub Stars
175
First Seen
Feb 18, 2026
Security Audits
Gen Agent Trust HubWarn
SocketPass
SnykFail
Installed on
github-copilot21
codex21
kimi-cli21
gemini-cli21
amp21
cursor21