← Lessons

quiz vs the machine

Platinum1840

Security

HTTP Request Smuggling

How disagreement over message length lets one request hijack another.

6 min read · advanced · beat Platinum to climb

The Desync

HTTP request smuggling abuses a disagreement between two servers about where one request ends and the next begins. A front end proxy and a back end server can parse the same byte stream differently, so an attacker hides a second request inside the first.

How Servers Disagree

  • A request can declare its body length with Content Length or with Transfer Encoding chunked.
  • If a proxy honors one header and the back end honors the other, their boundaries drift apart.
  • The leftover bytes become the prefix of the next victim request on the reused connection.

What It Enables

  • Stealing another user's request, poisoning the cache, or bypassing front end access controls.
  • Reaching internal endpoints the proxy would normally block.

Defenses

  • Normalize requests at the edge and reject ambiguous ones that carry both length headers.
  • Prefer HTTP2 end to end, which frames message length unambiguously.
  • Disable connection reuse between proxy and back end when parsing cannot be aligned.

Key idea

Request smuggling exploits length parsing disagreement, so reject ambiguous framing and prefer protocols that mark message boundaries unambiguously.

Check yourself

Answer to earn rating on the learn ladder.

1. What root cause makes request smuggling possible?

2. Which pair of headers creates the dangerous ambiguity?

3. What is a strong structural defense?