jd-opensource/pentest-http-smuggling
skills/pentest-http-smuggling/SKILL.md
HTTP request smuggling, desync attacks, cache poisoning, and protocol-level vulnerability testing.
$ install --global
skillsauthnpx skillsauth add jd-opensource/joysafeter pentest-http-smugglingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:18 AM4.2s3 files scanned
SKILL.md
- name:
- pentest-http-smuggling
- description:
- HTTP request smuggling, desync attacks, cache poisoning, and protocol-level vulnerability testing.
Pentest HTTP Smuggling
Purpose
Detect and exploit discrepancies between front-end proxies and back-end servers in HTTP request parsing. These attacks bypass security controls, poison caches, and hijack requests — entirely absent from standard taint analysis pipelines.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for protocol-level testing
- Infrastructure awareness — identify all reverse proxies, CDNs, load balancers in path
- Rollback plan for cache poisoning tests (CDN purge access)
- Emergency contacts for infrastructure team (smuggling can affect other users)
Environment Setup
- Python 3.x with raw socket capability for crafted HTTP requests
- Burp Suite Professional with HTTP Request Smuggler extension
- curl compiled with HTTP/2 support (
--http2-prior-knowledge) - Turbo Intruder for timing-sensitive attacks
- Network capture tool (Wireshark/tcpdump) for response analysis
Core Workflow
- Stack Fingerprinting: Identify reverse proxies (nginx, HAProxy, Cloudflare, AWS ALB), CDNs, load balancers. Determine HTTP version support (HTTP/1.1, HTTP/2) and parsing behavior.
- CL.TE Smuggling: Craft requests where front-end uses Content-Length and back-end uses Transfer-Encoding. Observe differential parsing and request boundary confusion.
- TE.CL Smuggling: Reverse scenario — front-end uses Transfer-Encoding, back-end uses Content-Length. Test with obfuscated TE headers.
- TE.TE Smuggling: Both sides use Transfer-Encoding but one can be confused with header obfuscation (capitalization, whitespace, duplicate headers).
- HTTP/2 Downgrade: Exploit H2-to-H1 translation at reverse proxies. Header injection via pseudo-headers, CRLF injection in H2 headers, request splitting through H2 CONTINUATION frames.
- Cache Poisoning: Poison cached responses with attacker-controlled content. Test cache key vs cache content discrepancies. Verify with different client sessions.
- Host Header Attacks: Host header injection, password reset poisoning, routing-based SSRF, web cache poisoning via ambiguous Host headers (WSTG-INPV-17).
- Impact Validation: Demonstrate cache poisoning, credential theft, request hijacking, or security control bypass as PoC.
WSTG Coverage
| WSTG ID | Test Name | Status | |---------|-----------|--------| | WSTG-INPV-15 | HTTP Request Smuggling | ✅ | | WSTG-INPV-17 | Host Header Injection | ✅ |
Tool Categories
| Category | Tools | Purpose | |----------|-------|---------| | Smuggling Detection | smuggler.py, HTTP Request Smuggler (Burp) | Automated CL.TE/TE.CL detection | | HTTP/2 Testing | h2csmuggler, curl --http2, nghttp | H2 downgrade and desync attacks | | Timing Attacks | Turbo Intruder | Microsecond-precision request timing | | Raw Requests | Python sockets, netcat | Crafted malformed HTTP requests | | Cache Analysis | curl, custom scripts | Cache behavior verification | | Traffic Capture | Wireshark, tcpdump | Response boundary analysis |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
Related Skills
jd-opensource/xlsx
development
VerifiedTrustedCommunity
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-security-auditor
testing
VerifiedTrustedCommunity
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
238SKILL.mdUpdated Apr 6, 2026