awesome-httprequestsmuggling
github.com/chenjj/awesome-httprequestsmuggling ↗A curated list of awesome blogs and tools about HTTP request smuggling attacks. Feel free to contribute! 🍻
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me tools resources from awesome-httprequestsmuggling"
Installation instructions →What's inside
Tools
- aws/http-desync-guardian
Analyze HTTP requests to minimize risks of HTTP Desync attacks
- BishopFox/h2csmuggler
HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
- defparam/smuggler
An HTTP Request Smuggling / Desync testing tool written in Python 3
- neex/http2smugl
detects HTTP Request Smuggling that arise during HTTP/2 -> HTTP/1.1 conversion
- PortSwigger/http-request-smuggler
- regilero/HTTPWookiee
An HTTP server and proxy stress tool (respect of RFC, HTTP Smuggling issues, etc)
Talks
- BH EU 2021 - Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
By Daniel Thatcher
- BH USA 2017 - Web Cache Deception Attack
By Omer Gil
- BH USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
By James Kettle
- BH USA 2020 - HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges
By Amit Klein
- BH USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
By James Kettle
- DEF CON 24 - Hiding Wookiees in HTTP: HTTP smuggling
By regilero
Other related attacks
- BH USA 2020 - You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
Exploiting email ambiguities to bypass SPF, DKIM, and DMARC authentication
- Host-of-Troubles attacks
Multiple Host header ambiguity to enable cache poisoning and firewall bypass
Blogs
- Breaking the chains on HTTP Request Smuggler
By James Kettle
- Cache Poisoning at Scale
- Desync Mitigation Mode for Amazon AWS Application and Classic Load Balancers
- Empirical Study of HTTP Request Smuggling in Open-Source Servers and Proxies
- h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)
By Jake Miller
- HAProxy HTTP request smuggling (CVE-2019-18277)
By Nathan Davison
Bug reports and bounties
- Cloudflare fixed an HTTP/2 smuggling vulnerability
Cloudflare applies weak validation on HTTP/2 headers. $1000
- Labs.data.gov
HTTP Request Smuggling on labs.data.gov. $750
- Multiple HTTP Smuggling reports
By regilero
- Newrelic.com
Password theft login.newrelic.com via Request Smuggling. $3,000
- Paypal.com
Stored XSS on paypal.com/signin via cache poisoning. $18,900
- Paypal.com
Bypass for #488147 enables stored XSS on paypal.com/signin again. $20,000
Showing a sample of 44 resources. View the full list on GitHub →