CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-disabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-not-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>View source for HTTP request smuggling - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-disabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-not-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":true,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat": "dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"7435d276-8b40-4028-a264-030321a2858a","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"HTTP_request_smuggling","wgTitle":"HTTP request smuggling","wgCurRevisionId":1244845542,"wgRevisionId":0,"wgArticleId":63364132,"wgIsArticle":false,"wgIsRedirect":false,"wgAction":"edit","wgUserName":null,"wgUserGroups":["*"],"wgCategories":[],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"HTTP_request_smuggling","wgRelevantArticleId":63364132,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true, "wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":7000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading", "skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.charinsert.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["mediawiki.action.edit.collapsibleFooter","site","mediawiki.page.ready","jquery.makeCollapsible","skins.vector.js","ext.centralNotice.geoIP","ext.charinsert","ext.gadget.ReferenceTooltips","ext.gadget.charinsert","ext.gadget.extra-toolbar-buttons","ext.gadget.refToolbar","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.checkUser.clientHints", "ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.charinsert.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="noindex,nofollow,max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/HTTP_logo.svg/1200px-HTTP_logo.svg.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="642"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/HTTP_logo.svg/800px-HTTP_logo.svg.png"> <meta property="og:image:width" content="800"> <meta property="og:image:height" content="428"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5b/HTTP_logo.svg/640px-HTTP_logo.svg.png"> <meta property="og:image:width" content="640"> <meta property="og:image:height" content="343"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="View source for HTTP request smuggling - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/HTTP_request_smuggling"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=HTTP_request_smuggling&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/HTTP_request_smuggling"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-HTTP_request_smuggling rootpage-HTTP_request_smuggling skin-vector-2022 action-edit"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=HTTP+request+smuggling&returntoquery=action%3Dedit" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=HTTP+request+smuggling&returntoquery=action%3Dedit" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=HTTP+request+smuggling&returntoquery=action%3Dedit" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=HTTP+request+smuggling&returntoquery=action%3Dedit" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <h1 id="firstHeading" class="firstHeading mw-first-heading">View source for HTTP request smuggling</h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="This article exist only in this language. Add the article for other languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-0" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">Add languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> <div class="after-portlet after-portlet-lang"><span class="uls-after-portlet-link"></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/HTTP_request_smuggling" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:HTTP_request_smuggling" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="vector-tab-noicon mw-list-item"><a href="/wiki/HTTP_request_smuggling"><span>Read</span></a></li><li id="ca-edit" class="selected vector-tab-noicon mw-list-item"><a href="/w/index.php?title=HTTP_request_smuggling&action=edit" title="Edit this page"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=HTTP_request_smuggling&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="vector-more-collapsible-item mw-list-item"><a href="/wiki/HTTP_request_smuggling"><span>Read</span></a></li><li id="ca-more-edit" class="selected vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=HTTP_request_smuggling&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=HTTP_request_smuggling&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/HTTP_request_smuggling" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/HTTP_request_smuggling" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=HTTP_request_smuggling&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fw%2Findex.php%3Ftitle%3DHTTP_request_smuggling%26action%3Dedit"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fw%2Findex.php%3Ftitle%3DHTTP_request_smuggling%26action%3Dedit"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q96380193" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> </div> <div id="contentSub"><div id="mw-content-subtitle">← <a href="/wiki/HTTP_request_smuggling" title="HTTP request smuggling">HTTP request smuggling</a></div></div> <div id="mw-content-text" class="mw-body-content"><p>You do not have permission to edit this page, for the following reasons: </p> <ul class="permissions-errors"><li class="mw-permissionerror-blockedtext"> <div id="mw-blocked-text" style="border: 1px solid #AAA; background-color: var(--background-color-warning-subtle, ivory); color: inherit; padding: 1.5em; width: 100%; box-sizing: border-box;"> <div style="text-align: center;"><span style="font-size: 26px;"><span typeof="mw:File"><a href="/wiki/File:Stop_hand_nuvola.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/50px-Stop_hand_nuvola.svg.png" decoding="async" width="50" height="50" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/75px-Stop_hand_nuvola.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/100px-Stop_hand_nuvola.svg.png 2x" data-file-width="240" data-file-height="240" /></a></span><b> This IP address has been <a href="/wiki/Wikipedia:Blocking_policy" title="Wikipedia:Blocking policy">blocked</a> from <i>editing</i> Wikipedia.</b></span><br /><span style="font-size: 18px;">This does not affect your ability to <i>read</i> Wikipedia pages.</span></div><div class="paragraphbreak" style="margin-top:0.5em"></div><b>Most people who see this message have done nothing wrong.</b> Some kinds of blocks restrict editing from specific service providers or telecom companies in response to recent abuse or vandalism, and can sometimes affect other users who are unrelated to that abuse. Review the information below for assistance if you do not believe that you have done anything wrong.<div class="paragraphbreak" style="margin-top:0.5em"></div> <p>The IP address or range 8.222.128.0/17 has been <a href="/wiki/Wikipedia:Blocking_policy" title="Wikipedia:Blocking policy">blocked</a> by <a href="/wiki/User:L235" title="User:L235">‪L235‬</a> for the following reason(s): </p> <div style="padding:10px; background:var(--background-color-base, white); color:inherit; border:1px #666 solid;"> <div class="user-block colocation-webhost" style="margin-bottom: 0.5em; background-color: #ffefd5; border: 1px solid #AAA; padding: 0.7em;"> <figure class="mw-halign-left" typeof="mw:File"><span><img src="//upload.wikimedia.org/wikipedia/commons/thumb/5/53/Server-multiple.svg/40px-Server-multiple.svg.png" decoding="async" width="40" height="57" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/5/53/Server-multiple.svg/60px-Server-multiple.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/5/53/Server-multiple.svg/80px-Server-multiple.svg.png 2x" data-file-width="744" data-file-height="1052" /></span><figcaption></figcaption></figure><b>The <a href="/wiki/IP_address" title="IP address">IP address</a> that you are currently using has been blocked because it is believed to be a <a href="/wiki/Web_hosting_service" title="Web hosting service">web host provider</a> or <a href="/wiki/Colocation_centre" title="Colocation centre">colocation provider</a>.</b> To prevent abuse, <a href="/wiki/Wikipedia:Open_proxies" title="Wikipedia:Open proxies">web hosts and colocation providers may be blocked</a> from editing Wikipedia. <div style="border-top: 1px solid #AAA; clear: both">You will not be able to edit Wikipedia using a web host or colocation provider because it hides your IP address, much like a <a href="/wiki/Wikipedia:Open_proxies" title="Wikipedia:Open proxies">proxy</a> or <a href="/wiki/Virtual_private_network" title="Virtual private network">VPN</a>. <p><b>We recommend that you attempt to use another connection to edit.</b> For example, if you use a proxy or VPN to connect to the internet, turn it off when editing Wikipedia. If you edit using a mobile connection, try using a Wi-Fi connection, and vice versa. If you are using a corporate internet connection, switch to a different Wi-Fi network. If you have a Wikipedia account, please log in. </p><p>If you do not have any other way to edit Wikipedia, you will need to <a href="/wiki/Wikipedia:IP_block_exemption#Requesting_and_granting_exemption" title="Wikipedia:IP block exemption">request an IP block exemption</a>. </p> <style data-mw-deduplicate="TemplateStyles:r1214851843">.mw-parser-output .hidden-begin{box-sizing:border-box;width:100%;padding:5px;border:none;font-size:95%}.mw-parser-output .hidden-title{font-weight:bold;line-height:1.6;text-align:left}.mw-parser-output .hidden-content{text-align:left}@media all and (max-width:500px){.mw-parser-output .hidden-begin{width:auto!important;clear:none!important;float:none!important}}</style><div class="hidden-begin mw-collapsible mw-collapsed" style=""><div class="hidden-title skin-nightmode-reset-color" style="text-align:center;">How to appeal if you are confident that your connection does not use a colocation provider's IP address:</div><div class="hidden-content mw-collapsible-content" style=""> If you are confident that you are not using a web host, you may <a href="/wiki/Wikipedia:Appealing_a_block" title="Wikipedia:Appealing a block">appeal this block</a> by adding the following text on your <a href="/wiki/Help:Talk_pages" title="Help:Talk pages">talk page</a>: <code>{{<a href="/wiki/Template:Unblock" title="Template:Unblock">unblock</a>|reason=Caught by a colocation web host block but this host or IP is not a web host. My IP address is _______. <i>Place any further information here.</i> ~~~~}}</code>. <b>You must fill in the blank with your IP address for this block to be investigated.</b> Your IP address can be determined <span class="plainlinks"><b><a class="external text" href="https://en.wikipedia.org/wiki/Wikipedia:Get_my_IP_address?withJS=MediaWiki:Get-my-ip.js">here</a></b></span>. Alternatively, if you wish to keep your IP address private you can use the <a href="/wiki/Wikipedia:Unblock_Ticket_Request_System" title="Wikipedia:Unblock Ticket Request System">unblock ticket request system</a>. There are several reasons you might be editing using the IP address of a web host or colocation provider (such as if you are using VPN software or a business network); please use this method of appeal only if you think your IP address is in fact not a web host or colocation provider.</div></div> <p><span class="sysop-show" style="font-size: 85%;"><span style="border:#707070 solid 1px;background-color:#ffe0e0;padding:2px"><b>Administrators:</b></span> The <a href="/wiki/Wikipedia:IP_block_exemption" title="Wikipedia:IP block exemption">IP block exemption</a> user right should only be applied to allow users to edit using web host in exceptional circumstances, and requests should usually be directed to the functionaries team via email. If you intend to give the IPBE user right, a <a href="/wiki/Wikipedia:CheckUser" title="Wikipedia:CheckUser">CheckUser</a> needs to take a look at the account. This can be requested most easily at <a href="/wiki/Wikipedia:SPI#Quick_CheckUser_requests" class="mw-redirect" title="Wikipedia:SPI">SPI Quick Checkuser Requests</a>. <b>Unblocking</b> an IP or IP range with this template <b>is highly discouraged</b> without at least contacting the blocking administrator.</span> </p> </div></div> </div> <p>This block will expire on 18:23, 24 August 2026. Your current IP address is 8.222.208.146. </p> <div class="paragraphbreak" style="margin-top:0.5em"></div><div style="font-size: 16px;"> <p>Even when blocked, you will <i>usually</i> still be able to edit your <a href="/wiki/Special:MyTalk" title="Special:MyTalk">user talk page</a>, as well as <a href="/wiki/Wikipedia:Emailing_users" title="Wikipedia:Emailing users">email</a> administrators and other editors. </p> </div> <div class="paragraphbreak" style="margin-top:0.5em"></div><div style="font-size: 16px;"> <p>For information on how to proceed, please read the <b><a href="/wiki/Wikipedia:Appealing_a_block#Common_questions" title="Wikipedia:Appealing a block">FAQ for blocked users</a></b> and the <a href="/wiki/Wikipedia:Appealing_a_block" title="Wikipedia:Appealing a block">guideline on block appeals</a>. The <a href="/wiki/Wikipedia:Guide_to_appealing_blocks" title="Wikipedia:Guide to appealing blocks">guide to appealing blocks</a> may also be helpful. </p> </div> <p>Other useful links: <a href="/wiki/Wikipedia:Blocking_policy" title="Wikipedia:Blocking policy">Blocking policy</a> · <a href="/wiki/Help:I_have_been_blocked" title="Help:I have been blocked">Help:I have been blocked</a> </p> </div></li><li class="mw-permissionerror-globalblocking-blockedtext-range"> <div id="mw-blocked-text" style="border: 1px solid #AAA; background-color: var(--background-color-warning-subtle, ivory); color: inherit; padding: 1.5em; width: 100%; box-sizing: border-box;"> <div style="text-align: center;"><span style="font-size: 26px;"><span typeof="mw:File"><a href="/wiki/File:Stop_hand_nuvola.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/50px-Stop_hand_nuvola.svg.png" decoding="async" width="50" height="50" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/75px-Stop_hand_nuvola.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/f/f1/Stop_hand_nuvola.svg/100px-Stop_hand_nuvola.svg.png 2x" data-file-width="240" data-file-height="240" /></a></span><b> This IP address range has been <a href="https://meta.wikimedia.org/wiki/Global_blocks" class="extiw" title="m:Global blocks">globally blocked</a>.</b></span><br /><span style="font-size: 18px;">This does not affect your ability to <i>read</i> Wikipedia pages.</span></div><div class="paragraphbreak" style="margin-top:0.5em"></div><b>Most people who see this message have done nothing wrong.</b> Some kinds of blocks restrict editing from specific service providers or telecom companies in response to recent abuse or vandalism, and can sometimes affect other users who are unrelated to that abuse. Review the information below for assistance if you do not believe that you have done anything wrong.<div class="paragraphbreak" style="margin-top:0.5em"></div><div class="paragraphbreak" style="margin-top:0.5em"></div> <p>This block affects editing on all Wikimedia wikis. </p><p>The IP address or range 8.222.128.0/17 has been globally <a href="/wiki/Wikipedia:Blocking_policy" title="Wikipedia:Blocking policy">blocked</a> by <a href="/wiki/User:Jon_Kolbert" title="User:Jon Kolbert">‪Jon Kolbert‬</a> for the following reason(s): </p> <div style="padding:10px; background:var(--background-color-base, white); color:inherit; border:1px #666 solid;"> <p><a href="https://meta.wikimedia.org/wiki/Special:MyLanguage/NOP" class="extiw" title="m:Special:MyLanguage/NOP">Open proxy/Webhost</a>: See the <a href="https://meta.wikimedia.org/wiki/WM:OP/H" class="extiw" title="m:WM:OP/H">help page</a> if you are affected </p> </div> <p>This block will expire on 15:12, 27 August 2028. Your current IP address is 8.222.208.146. </p> <div class="paragraphbreak" style="margin-top:0.5em"></div><div style="font-size: 16px;"> <p>Even while globally blocked, you will <i>usually</i> still be able to edit pages on <a href="https://meta.wikimedia.org/wiki/" class="extiw" title="m:">Meta-Wiki</a>. </p> </div> <div class="paragraphbreak" style="margin-top:0.5em"></div><div style="font-size: 16px;"> <p>If you believe you were blocked by mistake, you can find additional information and instructions in the <a href="https://meta.wikimedia.org/wiki/Special:MyLanguage/No_open_proxies" class="extiw" title="m:Special:MyLanguage/No open proxies">No open proxies</a> global policy. Otherwise, to discuss the block please <a href="https://meta.wikimedia.org/wiki/Steward_requests/Global" class="extiw" title="m:Steward requests/Global">post a request for review on Meta-Wiki</a>. You could also send an email to the <a href="https://meta.wikimedia.org/wiki/Special:MyLanguage/Stewards" class="extiw" title="m:Special:MyLanguage/Stewards">stewards</a> <a href="https://meta.wikimedia.org/wiki/Special:MyLanguage/VRT" class="extiw" title="m:Special:MyLanguage/VRT">VRT</a> queue at <kbd>stewards@wikimedia.org</kbd> including all above details. </p> </div> <p>Other useful links: <a href="https://meta.wikimedia.org/wiki/Global_blocks" class="extiw" title="m:Global blocks">Global blocks</a> · <a href="/wiki/Help:I_have_been_blocked" title="Help:I have been blocked">Help:I have been blocked</a> </p> </div></li></ul><hr /> <div id="viewsourcetext">You can view and copy the source of this page:</div><textarea readonly="" accesskey="," id="wpTextbox1" cols="80" rows="25" style="" class="mw-editfont-monospace" lang="en" dir="ltr" name="wpTextbox1">{{short description|Web security vulnerability}} {{HTTP}} '''HTTP request smuggling''' ('''HRS''') is a [[security exploit]] on the [[HTTP]] protocol that takes advantage of an inconsistency between the interpretation of [[List of HTTP header fields#content-length-response-header|<code>Content-Length</code>]] and [[List of HTTP header fields#transfer-encoding-response-header|<code>Transfer-Encoding</code>]] headers between HTTP server implementations in an [[HTTP proxy server]] chain.<ref>{{Cite web|url=https://cwe.mitre.org/data/definitions/444.html|title=CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)|website=cwe.mitre.org|access-date=2020-03-13}}</ref><ref name="portswigger1">{{Cite web|url=https://portswigger.net/web-security/request-smuggling|title=What is HTTP request smuggling? Tutorial & Examples {{!}} Web Security Academy|website=portswigger.net|access-date=2020-03-13}}</ref> It was first documented in 2005 by Linhart et al.<ref name="HRS">{{cite web|url=https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf|title=HTTP request smuggling|date=2005|last1=Linhart|first1=Chaim|last2=Klein|first2=Amit|last3=Heled|first3=Ronen|last4=Orrin|first4=Steve}}</ref> The Transfer-Encoding header works by defining a directive on how to interpret the body of the [[HTTP request]], with the common and necessary directive for this attack being the [[chunked transfer encoding]].<ref name ="mozillatransfer">{{Cite web|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding|title=Transfer-Encoding|website=developer.mozilla.org|access-date=2022-12-15}}</ref> When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.<ref name="mozillatransfer" /> Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself.<ref name="mozillacontentlength">{{Cite web|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Length#:~:text=The%20Content%2DLength%20header%20indicates,bytes%2C%20sent%20to%20the%20recipient.|title=Content-Length|website=developer.mozilla.org|access-date=2022-12-15}}</ref> Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the [[Frontend and backend|front-end or back-end]] server to incorrectly interpret the request.<ref name="imperva">{{Cite web|url=https://www.imperva.com/learn/application-security/http-request-smuggling/#:~:text=An%20HTTP%20request%20smuggling%20vulnerability,through%20a%20malicious%20HTTP%20query|title=HTTP Request Smuggling|website=imperva.com|access-date=2022-12-15}}</ref> HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist.<ref name='imperva' /> ==Types== ===CL.TE=== In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.<ref name="portswigger1" /> The attack would be carried out with the first part of the request declaring a zero length chunk.<ref name="imperva" /> The front end server seeing this would only read the first part of the request and unintentionally pass the second part to the back end server.<ref name="imperva" /> Once passed through to the back end server, it would be treated as the next request and processed, carrying out the attackers hidden request.<ref name="imperva" /> ===TE.CL=== In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.<ref name="portswigger1" /> In this attack, a hacker would declare the valid length of the first chunk, which houses the malicious request and then declare a second chunk with a length of 0.<ref name ="imperva" /> When the front end server sees the second chunk with a length of 0 it believes the request to be complete and passes it along to the back end server.<ref name="imperva" /> The back end server processes the request using the Content-Length header, however, and as a result the malicious request left in the first chunk go unprocessed until they are treating as being at the start of next request in the sequence and are carried out.<ref name="portswigger1" /> ===TE.TE=== In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.<ref name="portswigger1" /> Obscuring the header may take the form of adding in an incorrect character, such as Transfer-Encoding: xchunked, or an unusual new line character between 'Transfer-Encoding' and ': chunked'.<ref name="imperva" /> If one of the front of back end servers still processes these obfuscated HTTP requests, then the rest of the attack will be similar to how CL.TE or TE.CL attacks work.<ref name="imperva" /> ==Prevention== The best prevention to these attacks would clearly be if front end and back end servers interpreted HTTP requests the same way. However, this is usually not an option as [[load balancer]]s support backend servers run on distinct platforms, using different software.<ref name="imperva" /> Most variants{{Specify|date=May 2023}} of this attack can be prevented by using [[HTTP/2]], as it uses a different method to determine the length of a request. Another method of avoiding the attack is for the frontend server to normalize HTTP requests before passing them to the backend, ensuring that they get interpreted in the same way.<ref name="portswigger1" /> Configuring a [[web application firewall]] is another good way to prevent HRS attacks as many feature technology that identify attack attempts and either blocks or sanitize the suspicious incoming requests.<ref name="imperva" /> Grenfeldt et al. (2021) found that most front-end web servers (e.g. proxy servers) provided the parsing features for hindering in practice, all the known HRS attacks on the back-end web servers.<ref name="Grenfeldt et al. (2021)">{{cite conference| vauthors=Grenfeldt M, Olofsson A, Engström V, Lagerström R |date=2021 | title=Attacking websites using HTTP request smuggling: empirical testing of servers and proxies | book-title=2021 IEEE 25th international enterprise distributed object computing conference (EDOC) | pages=173&ndash;181| publisher=IEEE| location=Australia | doi=10.1109/EDOC52215.2021.00028}}</ref> Huang et al. (2022) proposed a method using [[Flask (web framework)|Flask]] so to implement suitable parsing features that prevent HRS attacks, from a front-end program or web server.<ref name="Huang et al. (2022)">{{cite journal| vauthors=Huang Q, Chiu M, Chen Y, Sun H |date=2022 | title=Attacking websites: detecting and preventing HTTP request smuggling attacks| journal=Security and Communication Networks|volume=2022 |pages=1–14 | doi=10.1155/2022/3121177 |doi-access=free }}</ref> == References == {{reflist}} [[Category:Web security exploits]] [[Category:Hypertext Transfer Protocol headers]] </textarea><div class="templatesUsed"><div class="mw-templatesUsedExplanation"><p><span id="templatesused">Pages transcluded onto the current version of this page<span class="posteditwindowhelplinks"> (<a href="/wiki/Help:Transclusion" title="Help:Transclusion">help</a>)</span>:</span> </p></div><ul> <li><a href="/wiki/Template:Category_handler" title="Template:Category handler">Template:Category handler</a> (<a href="/w/index.php?title=Template:Category_handler&action=edit" title="Template:Category handler">view source</a>) (protected)</li><li><a href="/wiki/Template:Cite_conference" title="Template:Cite conference">Template:Cite conference</a> (<a href="/w/index.php?title=Template:Cite_conference&action=edit" title="Template:Cite conference">view source</a>) (protected)</li><li><a href="/wiki/Template:Cite_journal" title="Template:Cite journal">Template:Cite journal</a> (<a href="/w/index.php?title=Template:Cite_journal&action=edit" title="Template:Cite journal">view source</a>) (protected)</li><li><a href="/wiki/Template:Cite_web" title="Template:Cite web">Template:Cite web</a> (<a href="/w/index.php?title=Template:Cite_web&action=edit" title="Template:Cite web">view source</a>) (protected)</li><li><a href="/wiki/Template:Delink" title="Template:Delink">Template:Delink</a> (<a href="/w/index.php?title=Template:Delink&action=edit" title="Template:Delink">view source</a>) (protected)</li><li><a href="/wiki/Template:Fix" title="Template:Fix">Template:Fix</a> (<a href="/w/index.php?title=Template:Fix&action=edit" title="Template:Fix">view source</a>) (protected)</li><li><a href="/wiki/Template:Fix/category" title="Template:Fix/category">Template:Fix/category</a> (<a href="/w/index.php?title=Template:Fix/category&action=edit" title="Template:Fix/category">view source</a>) (protected)</li><li><a href="/wiki/Template:HTTP" title="Template:HTTP">Template:HTTP</a> (<a href="/w/index.php?title=Template:HTTP&action=edit" title="Template:HTTP">view source</a>) (semi-protected)</li><li><a href="/wiki/Template:Hlist/styles.css" title="Template:Hlist/styles.css">Template:Hlist/styles.css</a> (<a href="/w/index.php?title=Template:Hlist/styles.css&action=edit" title="Template:Hlist/styles.css">view source</a>) (protected)</li><li><a href="/wiki/Template:Main_other" title="Template:Main other">Template:Main other</a> (<a href="/w/index.php?title=Template:Main_other&action=edit" title="Template:Main other">view source</a>) (protected)</li><li><a href="/wiki/Template:Pagetype" title="Template:Pagetype">Template:Pagetype</a> (<a href="/w/index.php?title=Template:Pagetype&action=edit" title="Template:Pagetype">view source</a>) (protected)</li><li><a href="/wiki/Template:Reflist" title="Template:Reflist">Template:Reflist</a> (<a href="/w/index.php?title=Template:Reflist&action=edit" title="Template:Reflist">view source</a>) (protected)</li><li><a href="/wiki/Template:Reflist/styles.css" title="Template:Reflist/styles.css">Template:Reflist/styles.css</a> (<a href="/w/index.php?title=Template:Reflist/styles.css&action=edit" title="Template:Reflist/styles.css">view source</a>) (protected)</li><li><a href="/wiki/Template:SDcat" title="Template:SDcat">Template:SDcat</a> (<a href="/w/index.php?title=Template:SDcat&action=edit" title="Template:SDcat">view source</a>) (protected)</li><li><a href="/wiki/Template:Short_description" title="Template:Short description">Template:Short description</a> (<a href="/w/index.php?title=Template:Short_description&action=edit" title="Template:Short description">view source</a>) (protected)</li><li><a href="/wiki/Template:Short_description/lowercasecheck" title="Template:Short description/lowercasecheck">Template:Short description/lowercasecheck</a> (<a href="/w/index.php?title=Template:Short_description/lowercasecheck&action=edit" title="Template:Short description/lowercasecheck">view source</a>) (protected)</li><li><a href="/wiki/Template:Sidebar" title="Template:Sidebar">Template:Sidebar</a> (<a href="/w/index.php?title=Template:Sidebar&action=edit" title="Template:Sidebar">view source</a>) (template editor protected)</li><li><a href="/wiki/Template:Specify" title="Template:Specify">Template:Specify</a> (<a href="/w/index.php?title=Template:Specify&action=edit" title="Template:Specify">view source</a>) (template editor protected)</li><li><a href="/wiki/Module:Arguments" title="Module:Arguments">Module:Arguments</a> (<a href="/w/index.php?title=Module:Arguments&action=edit" title="Module:Arguments">view source</a>) (protected)</li><li><a href="/wiki/Module:Category_handler" title="Module:Category handler">Module:Category handler</a> (<a href="/w/index.php?title=Module:Category_handler&action=edit" title="Module:Category handler">view source</a>) (protected)</li><li><a href="/wiki/Module:Category_handler/blacklist" title="Module:Category handler/blacklist">Module:Category handler/blacklist</a> (<a href="/w/index.php?title=Module:Category_handler/blacklist&action=edit" title="Module:Category handler/blacklist">view source</a>) (protected)</li><li><a href="/wiki/Module:Category_handler/config" title="Module:Category handler/config">Module:Category handler/config</a> (<a href="/w/index.php?title=Module:Category_handler/config&action=edit" title="Module:Category handler/config">view source</a>) (protected)</li><li><a href="/wiki/Module:Category_handler/data" title="Module:Category handler/data">Module:Category handler/data</a> (<a href="/w/index.php?title=Module:Category_handler/data&action=edit" title="Module:Category handler/data">view source</a>) (protected)</li><li><a href="/wiki/Module:Category_handler/shared" title="Module:Category handler/shared">Module:Category handler/shared</a> (<a href="/w/index.php?title=Module:Category_handler/shared&action=edit" title="Module:Category handler/shared">view source</a>) (protected)</li><li><a href="/wiki/Module:Check_for_unknown_parameters" title="Module:Check for unknown parameters">Module:Check for unknown parameters</a> (<a href="/w/index.php?title=Module:Check_for_unknown_parameters&action=edit" title="Module:Check for unknown parameters">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1" title="Module:Citation/CS1">Module:Citation/CS1</a> (<a href="/w/index.php?title=Module:Citation/CS1&action=edit" title="Module:Citation/CS1">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/COinS" title="Module:Citation/CS1/COinS">Module:Citation/CS1/COinS</a> (<a href="/w/index.php?title=Module:Citation/CS1/COinS&action=edit" title="Module:Citation/CS1/COinS">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/Configuration" title="Module:Citation/CS1/Configuration">Module:Citation/CS1/Configuration</a> (<a href="/w/index.php?title=Module:Citation/CS1/Configuration&action=edit" title="Module:Citation/CS1/Configuration">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/Date_validation" title="Module:Citation/CS1/Date validation">Module:Citation/CS1/Date validation</a> (<a href="/w/index.php?title=Module:Citation/CS1/Date_validation&action=edit" title="Module:Citation/CS1/Date validation">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/Identifiers" title="Module:Citation/CS1/Identifiers">Module:Citation/CS1/Identifiers</a> (<a href="/w/index.php?title=Module:Citation/CS1/Identifiers&action=edit" title="Module:Citation/CS1/Identifiers">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/Utilities" title="Module:Citation/CS1/Utilities">Module:Citation/CS1/Utilities</a> (<a href="/w/index.php?title=Module:Citation/CS1/Utilities&action=edit" title="Module:Citation/CS1/Utilities">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/Whitelist" title="Module:Citation/CS1/Whitelist">Module:Citation/CS1/Whitelist</a> (<a href="/w/index.php?title=Module:Citation/CS1/Whitelist&action=edit" title="Module:Citation/CS1/Whitelist">view source</a>) (protected)</li><li><a href="/wiki/Module:Citation/CS1/styles.css" title="Module:Citation/CS1/styles.css">Module:Citation/CS1/styles.css</a> (<a href="/w/index.php?title=Module:Citation/CS1/styles.css&action=edit" title="Module:Citation/CS1/styles.css">view source</a>) (protected)</li><li><a href="/wiki/Module:Delink" title="Module:Delink">Module:Delink</a> (<a href="/w/index.php?title=Module:Delink&action=edit" title="Module:Delink">view source</a>) (protected)</li><li><a href="/wiki/Module:Disambiguation/templates" title="Module:Disambiguation/templates">Module:Disambiguation/templates</a> (<a href="/w/index.php?title=Module:Disambiguation/templates&action=edit" title="Module:Disambiguation/templates">view source</a>) (protected)</li><li><a href="/wiki/Module:Namespace_detect/config" title="Module:Namespace detect/config">Module:Namespace detect/config</a> (<a href="/w/index.php?title=Module:Namespace_detect/config&action=edit" title="Module:Namespace detect/config">view source</a>) (protected)</li><li><a href="/wiki/Module:Namespace_detect/data" title="Module:Namespace detect/data">Module:Namespace detect/data</a> (<a href="/w/index.php?title=Module:Namespace_detect/data&action=edit" title="Module:Namespace detect/data">view source</a>) (protected)</li><li><a href="/wiki/Module:Navbar" title="Module:Navbar">Module:Navbar</a> (<a href="/w/index.php?title=Module:Navbar&action=edit" title="Module:Navbar">view source</a>) (protected)</li><li><a href="/wiki/Module:Navbar/configuration" title="Module:Navbar/configuration">Module:Navbar/configuration</a> (<a href="/w/index.php?title=Module:Navbar/configuration&action=edit" title="Module:Navbar/configuration">view source</a>) (protected)</li><li><a href="/wiki/Module:Navbar/styles.css" title="Module:Navbar/styles.css">Module:Navbar/styles.css</a> (<a href="/w/index.php?title=Module:Navbar/styles.css&action=edit" title="Module:Navbar/styles.css">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype" title="Module:Pagetype">Module:Pagetype</a> (<a href="/w/index.php?title=Module:Pagetype&action=edit" title="Module:Pagetype">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype/config" title="Module:Pagetype/config">Module:Pagetype/config</a> (<a href="/w/index.php?title=Module:Pagetype/config&action=edit" title="Module:Pagetype/config">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype/disambiguation" class="mw-redirect" title="Module:Pagetype/disambiguation">Module:Pagetype/disambiguation</a> (<a href="/w/index.php?title=Module:Pagetype/disambiguation&action=edit" class="mw-redirect" title="Module:Pagetype/disambiguation">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype/rfd" title="Module:Pagetype/rfd">Module:Pagetype/rfd</a> (<a href="/w/index.php?title=Module:Pagetype/rfd&action=edit" title="Module:Pagetype/rfd">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype/setindex" title="Module:Pagetype/setindex">Module:Pagetype/setindex</a> (<a href="/w/index.php?title=Module:Pagetype/setindex&action=edit" title="Module:Pagetype/setindex">view source</a>) (protected)</li><li><a href="/wiki/Module:Pagetype/softredirect" title="Module:Pagetype/softredirect">Module:Pagetype/softredirect</a> (<a href="/w/index.php?title=Module:Pagetype/softredirect&action=edit" title="Module:Pagetype/softredirect">view source</a>) (protected)</li><li><a href="/wiki/Module:SDcat" title="Module:SDcat">Module:SDcat</a> (<a href="/w/index.php?title=Module:SDcat&action=edit" title="Module:SDcat">view source</a>) (protected)</li><li><a href="/wiki/Module:Sidebar" title="Module:Sidebar">Module:Sidebar</a> (<a href="/w/index.php?title=Module:Sidebar&action=edit" title="Module:Sidebar">view source</a>) (template editor protected)</li><li><a href="/wiki/Module:Sidebar/configuration" title="Module:Sidebar/configuration">Module:Sidebar/configuration</a> (<a href="/w/index.php?title=Module:Sidebar/configuration&action=edit" title="Module:Sidebar/configuration">view source</a>) (template editor protected)</li><li><a href="/wiki/Module:Sidebar/styles.css" title="Module:Sidebar/styles.css">Module:Sidebar/styles.css</a> (<a href="/w/index.php?title=Module:Sidebar/styles.css&action=edit" title="Module:Sidebar/styles.css">view source</a>) (template editor protected)</li><li><a href="/wiki/Module:String" title="Module:String">Module:String</a> (<a href="/w/index.php?title=Module:String&action=edit" title="Module:String">view source</a>) (protected)</li><li><a href="/wiki/Module:Unsubst" title="Module:Unsubst">Module:Unsubst</a> (<a href="/w/index.php?title=Module:Unsubst&action=edit" title="Module:Unsubst">view source</a>) (protected)</li><li><a href="/wiki/Module:Wikitext_Parsing" title="Module:Wikitext Parsing">Module:Wikitext Parsing</a> (<a href="/w/index.php?title=Module:Wikitext_Parsing&action=edit" title="Module:Wikitext Parsing">view source</a>) (protected)</li><li><a href="/wiki/Module:Yesno" title="Module:Yesno">Module:Yesno</a> (<a href="/w/index.php?title=Module:Yesno&action=edit" title="Module:Yesno">view source</a>) (protected)</li></ul></div><p id="mw-returnto">Return to <a href="/wiki/HTTP_request_smuggling" title="HTTP request smuggling">HTTP request smuggling</a>.</p> <noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/wiki/HTTP_request_smuggling">https://en.wikipedia.org/wiki/HTTP_request_smuggling</a>"</div></div> <div id="catlinks" class="catlinks catlinks-allhidden" data-mw="interface"></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=HTTP_request_smuggling&action=edit&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-5cd4cd96d5-wt2jk","wgBackendResponseTime":372,"wgPageParseReport":{"limitreport":{"cputime":"0.073","walltime":"0.094","ppvisitednodes":{"value":418,"limit":1000000},"postexpandincludesize":{"value":17740,"limit":2097152},"templateargumentsize":{"value":6556,"limit":2097152},"expansiondepth":{"value":9,"limit":100},"expensivefunctioncount":{"value":0,"limit":500},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":469,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 65.712 1 -total"," 99.86% 65.618 2 Template:Blocked_text"," 41.15% 27.038 1 Template:Colocationwebhost"," 39.30% 25.827 2 Template:Replace"," 36.08% 23.710 1 Template:Hidden"," 15.13% 9.945 1 Template:Hidden_begin"," 14.67% 9.642 1 Template:Tlx"," 2.54% 1.669 1 Template:Hidden_end"," 2.16% 1.421 1 MediaWiki:Wikimedia-globalblocking-blockedtext-mistake"," 1.94% 1.275 1 MediaWiki:Wikimedia-globalblocking-blockedtext-mistake-email-steward"]},"scribunto":{"limitreport-timeusage":{"value":"0.014","limit":"10.000"},"limitreport-memusage":{"value":1043322,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-5cd4cd96d5-wt2jk","timestamp":"20241127030926","ttl":2592000,"transientcontent":false}}});});</script> </body> </html>