HTTP Request Smuggling is a vulnerability class that occurs when frontend and backend HTTP servers disagree on where one request ends and the next begins. It enables cache poisoning, request hijacking, authentication bypass, and credential theft — all from a single carefully-crafted request. James Kettle’s research (2019, with major follow-ups in 2021-2024) put smuggling on the offensive map. This module covers the variants, exploitation patterns, and defenses for 2026.

The fundamental issue

HTTP/1.1 has two ways to indicate the end of a request body:

Content-Length: 100 — body is exactly 100 bytes
Transfer-Encoding: chunked — body is a series of length-prefixed chunks ending with 0\r\n\r\n

If a request has both, RFC 7230 says Transfer-Encoding wins. But many proxies and servers parse one and ignore the other — or have subtle bugs in chunked parsing. When the front-end and back-end disagree, an attacker can sneak a partial request past the front-end into the back-end’s queue.

The classic variants

CL.TE — front uses Content-Length, back uses Transfer-Encoding

POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

Front-end sees CL=13, forwards 13 bytes (0\r\n\r\nSMUGGLED). Back-end sees TE=chunked, reads 0\r\n\r\n as end-of-body, leaves “SMUGGLED” prefixing the next request in the connection.

TE.CL — front uses TE, back uses CL

POST / HTTP/1.1
Host: target.com
Content-Length: 4
Transfer-Encoding: chunked

5e
POST /admin HTTP/1.1
Host: target.com
Foo: bar
0

Front-end reads chunked body fully. Back-end uses CL=4, reads only 4 bytes (“5e\r\n”), the rest is queued as a new request — including the smuggled POST /admin.

TE.TE — both use TE but differ on parsing

Front-end ignores a malformed TE header due to obfuscation; back-end accepts it. Common obfuscations:

Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding:[tab]chunked
X: X[\n]Transfer-Encoding: chunked

HTTP/2 downgrade smuggling

James Kettle’s 2021 research showed HTTP/2 downgrade attacks. Many edge proxies accept HTTP/2 from clients but downgrade to HTTP/1.1 to talk to the back-end. The HTTP/2 frame format has length headers — when downgraded to HTTP/1.1, those become CL/TE. Attackers manipulate HTTP/2 fields that, after downgrade, produce smuggled HTTP/1.1.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

7 more sections locked below

Module 14 · HTTP Request Smuggling 🔒

The fundamental issue

The classic variants

CL.TE — front uses Content-Length, back uses Transfer-Encoding

TE.CL — front uses TE, back uses CL

TE.TE — both use TE but differ on parsing

HTTP/2 downgrade smuggling

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 17 · Prototype Pollution <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 8 · API Security (OWASP API Top 10) <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 1 · HTTP & Web Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>