hunt-http-smuggling

What problem does it solve?

This Skill helps you hunt for HTTP request smuggling by identifying parser disagreements between a front-end proxy and a back-end server so you can confirm and validate the cross-client impact.

Core Features & Use Cases

• Protocol-vector coverage: Focuses on CL.TE, TE.CL, H2.CL, and H2.TE smuggling paths, including modern HTTP/2 downgrade scenarios.
• Hunting workflow and confirmation: Provides detection approaches (e.g., Burp HTTP Request Smuggler, smuggler tooling, and timing-based confirmation) and validation ideas that distinguish real smuggling effects from self-induced delays.
• Operator targeting guidance: Includes a target-suitability matrix and fingerprinting guidance to prioritize realistic CDN + origin and load balancer/WAF bypass opportunities.
• Chain linkage for real-world triage: References common escalation chains such as cache poisoning, auth bypass, session attachment/credential theft, and reflected XSS at the victim queue level.

Quick Start

Use the hunt-http-smuggling skill to identify whether your target’s front-end/origin stack is vulnerable to CL.TE, TE.CL, or HTTP/2 downgrade smuggling, then confirm exploitability using a timing-based cross-request technique.