BIPI
BIPI

HTTP Request Smuggling in 2023: CL.TE, TE.CL, TE.TE, HTTP/2 Downgrades

Cybersecurity

HTTP request smuggling keeps producing critical findings because front and back servers disagree about request boundaries. This guide breaks down the CL.TE, TE.CL, TE.TE, and HTTP/2 downgrade variants, and the hunting workflow that finds them quickly.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 28, 2023 · 11 min read

#http-smuggling#bug-bounty#web-security#http/2#desync

Why Smuggling Pays

Front-end and back-end servers parsing the same request differently is rare and high impact. Successful smuggling produces stored XSS, session hijack, cache poisoning, and admin endpoint access without auth.

The Four Classic Variants

  • CL.TE: front trusts Content-Length, back trusts Transfer-Encoding
  • TE.CL: front trusts TE, back trusts CL
  • TE.TE: both support TE but obfuscation makes one ignore it
  • CL.0: emerging variants where one side reads zero body

HTTP/2 Downgrade Smuggling

When a front-end speaks HTTP/2 to clients but downgrades to HTTP/1.1 to backends, the header to length translation introduces new desync surface. h2.CL and h2.TE attacks abuse this conversion.

Hunting Workflow

  1. Use HTTP Request Smuggler in Burp to probe candidates
  2. Run smuggler.py from the command line for additional variants
  3. Confirm with timing differential, a smuggled request stalls the connection
  4. Stage a benign smuggled payload like a path that 404s with a unique header

Confirmation Without Hurting Users

Avoid smuggling state-changing requests on production. Use a benign GET to a unique path and confirm via a Burp Collaborator callback or a log entry that you can read in a status endpoint.

Pivots Worth Demonstrating

  • Capture other users' requests including auth cookies
  • Cache poisoning at the smuggling layer to serve attacker HTML
  • Bypass front-end auth or WAF for the smuggled request
  • Reach internal admin endpoints that only the backend exposes

Tooling

  • HTTP Request Smuggler Burp extension
  • smuggler.py by defparam
  • h2cSmuggler for HTTP/2 upgrade attacks
  • Turbo Intruder for single-packet attacks that bypass timing noise

Reading the Response

Smuggled responses often arrive on the next user's connection. Set up a long-poll endpoint to capture, or use the storage technique that writes the response into a target you can later read.

Common False Positives

  • Server timing variation that looks like a desync
  • Keep-alive resets that drop the smuggled payload
  • WAF blocking on the second request rather than parsing it

Variants Emerging in 2023

CL.0 smuggling exploits backends that ignore Content-Length on certain methods. Browser-powered desync uses the victim's own browser as the smuggler, expanding the reach beyond what curl can produce.

Reporting

Smuggling reports need a clean lab reproduction and a controlled production confirmation. Include the timing trace, the Collaborator interaction, and the exact request bytes.

Request smuggling rewards reading RFCs. The hunters who know the exact grammar of Content-Length and Transfer-Encoding find what scanners miss.

Closing

HTTP smuggling will keep producing critical bounties as long as proxy chains exist. Learn the four base variants, then chase HTTP/2 downgrade and CL.0 for the next wave.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.