Last updated: May 1, 2026
HTTP Request Smuggling is a vulnerability class that occurs when frontend and backend HTTP servers disagree on where one request ends and the next begins. It enables cache poisoning, request hijacking, authentication bypass, and credential theft — all from a single carefully-crafted request. James Kettle’s research (2019, with major follow-ups in 2021-2024) put smuggling on the offensive map. This module covers the variants, exploitation patterns, and defenses for 2026.
The fundamental issue
HTTP/1.1 has two ways to indicate the end of a request body:
Content-Length: 100— body is exactly 100 bytesTransfer-Encoding: chunked— body is a series of length-prefixed chunks ending with0\r\n\r\n
If a request has both, RFC 7230 says Transfer-Encoding wins. But many proxies and servers parse one and ignore the other — or have subtle bugs in chunked parsing. When the front-end and back-end disagree, an attacker can sneak a partial request past the front-end into the back-end’s queue.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.