HTTP Request Smuggling – The Ultimate Guide
May 2, 2022
9 min read
In this article:
An HTTP request smuggling attack is when the hacker interferes with the processing of HTTP requests between clients and web servers. The attackers maliciously customize and craft multiple HTTP requests from a single request, making two target entities see the same HTTP request as distinct, separate requests.
The impacts of HTTP request smuggling attacks are far-reaching since the hacker can perform session hijacking or bypass security controls for unauthorized access to sensitive data. This article describes the causes of HTTP request smuggling, its prevention, and mitigation techniques.
What is an HTTP Request?
When clients want to access a resource on an application server, they send an HTTP request. The HTTP request is made using a Uniform Resource Locator (URL). A sufficient HTTP request majorly contains the below three things:
A request line – The request line contains an HTTP request method, the request URL’s path component, and an HTTP version number. The HTTP request method instructs the server about the desired action on the resource. There are various HTTP request methods like GET, POST, PUT, etc. The request URL’s path component refers to the resource target and points to the backend connections for the requested resource. Finally, the HTTP version indicates the expected version while sending the response back.An