loading
loading
Vulnerabilities
A Python tool that detects HTTP request smuggling across a target or a list of targets.
overview
HTTP request smuggling happens when a front-end proxy and a back-end server disagree about where one request ends and the next begins, usually because they parse the Content-Length and Transfer-Encoding headers differently. An attacker abuses that gap to slip a hidden request past the proxy, poisoning the response queue, bypassing front-end controls, or capturing other users' requests.
This tool automates the detection step. It sends CL.TE and TE.CL desync payloads to each target and watches the response timing: a back-end that stalls waiting for a smuggled request reveals the parsing mismatch. You set the HTTP method, socket timeout, and retry count, and it re-sends the payload to confirm a finding instead of trusting a single flaky response.
On Trickest, http-request-smuggling is a Vulnerabilities node that reads a single URL or a URLs file and writes a folder of results. Run it after httpx so it tests only live hosts, and treat every hit as a candidate for manual confirmation, since smuggling impact depends on the exact proxy and back-end sitting in front of the app.
use cases
Pass a URLs file so the tool probes every live host for request smuggling in one run instead of testing each by hand.
Point it at one URL with -u and raise --retry to separate a real desync from a flaky response before you escalate.
Adjust --timeout and --method so the check stays reliable against proxies that buffer, rate-limit, or reject POST.
Run it after httpx so smuggling probes only hit hosts that responded, keeping the run focused and quieter.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| single-url | STRING | -u | Single target URL to test, e.g. https://target.com. |
| urls-file | FILE | --urls | File listing target URLs to test, one per line. |
| http-method | STRING | --method | HTTP method to use, GET or POST (default POST). |
| timeout | STRING | --timeout | Socket timeout in seconds (default 10). |
| retry-payload | STRING | --retry | Retry count to re-execute the payload (default 2). |
Showing key inputs. http-request-smuggling exposes 5 inputs in total.
example
# probe a single host for HTTP request smugglinghrs -u https://example.com --method POST --retry 3 --timeout 15[*] http-request-smuggling detection started[*] Target: https://example.com method=POST timeout=15 retry=3[CL.TE] payload sent, waiting on socket... response time 9.84s[CL.TE] VULNERABLE (back-end blocked on the smuggled request)[TE.CL] payload sent, waiting on socket... response time 0.31s[TE.CL] not vulnerable[*] 1 target tested, 1 flagged for review[*] results written to output/guidance
Use this tool for a focused HTTP request smuggling check across a list of live hosts. For broad templated coverage that includes some smuggling checks, nuclei is wider. For deep manual desync research, pair its candidates with a hands-on proxy.
Template scanner with some smuggling checks among thousands. Broader, less specialized for desync.
Probes which hosts are live. Run it first so smuggling tests only hit responding targets.
Another dedicated desync detector. Cross-check its results to confirm a smuggling finding across tools.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A URL list is probed by httpx, then http-request-smuggling tests the live hosts for desync and writes the candidate findings as a queryable output.
Facts on this page come from the live Trickest tool library.