CAPEC-33: HTTP Request Smuggling

<p>An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).<p><p>See CanPrecede relationships for possible consequences.<p>
Extended Description

A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls.

This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]

Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.

HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.

Severity :


Possibility :


Type :


This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.
  • Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
  • HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.
  • Medium Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.
  • Medium Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit for more details.

Latest DB Update: Jul. 22, 2024 8:40