loading
loading
Vulnerabilities
An HTTP request smuggling and desync testing tool written in Python 3.
overview
smuggler probes a target endpoint for HTTP request smuggling, the desync class where a front-end proxy and a back-end server disagree about where one request ends and the next begins. Crafted Content-Length and Transfer-Encoding combinations expose that mismatch, which can let an attacker prepend data onto another user's request, poison caches, or bypass front-end controls.
Point it at a URL, choose an HTTP method and optional virtual host, and run the built-in payload set, or load a config file of custom mutations for a specific proxy stack. Quiet mode logs only confirmed issues; exit-early stops on the first finding when a wide sweep only needs a yes-or-no answer.
On Trickest, smuggler is a Vulnerabilities node that takes a target URL and writes a file and a folder of results. Run it against live endpoints from earlier probing, then route confirmed findings into manual verification or reporting.
source github.com/defparam/smuggler
use cases
Probe a URL with crafted Content-Length and Transfer-Encoding combinations to detect front-end and back-end disagreement about request boundaries.
Enable quiet mode so the output logs only smuggling findings and keeps noise out of an automated pipeline.
Use exit-early when you only need to know whether a host is vulnerable, not the full payload matrix, across many targets.
Supply a config file of payloads to test mutations specific to a target's proxy stack beyond the built-in set.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Target URL with Endpoint |
| method | STRING | --method | HTTP method to use (e.g GET, POST) Default: POST |
| vhost | STRING | --vhost | Specify a virtual host |
| configfile | FILE | --configfile | Filepath to the configuration file of payloads |
| quiet | BOOLEAN | --quiet | Quiet mode will only log issues found |
| exit-early | BOOLEAN | --exit_early | Exit scan on first finding |
| no-color | BOOLEAN | --no-color | Suppress color codes |
Showing key inputs. smuggler exposes 7 inputs in total.
example
# probe a target for CL.TE / TE.CL desync, stop on first hitsmuggler.py -u https://example.com/api --method POST --quiet --exit_earlysmuggler v1.1 | target: https://example.com/api[+] TE.CL : Potential HTTP Request Smuggling └─ Transfer-Encoding: chunked + Content-Length mismatch[+] CL.TE : Timing anomaly vs baseline (delay ~3.1s)[-] H2.CL : no differential[-] H2.TE : no differential[*] Findings written to smuggler_out/[*] Exit early after first confirmed issueguidance
Use smuggler to test specific endpoints for HTTP request smuggling and desync. It is a focused vulnerability check, not a broad scanner. Run it against live hosts from a prober, and pair it with broader scanners for other vulnerability classes.
Looks for exposed files and misconfigurations rather than desync. A different web vulnerability class.
Recovers IIS short filenames. Another targeted server-side check, not request smuggling.
Finds hijackable broken social links by crawling a site. Unrelated bug class, run on the same surface.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target URL feeds smuggler, which probes it for request-smuggling desync and writes confirmed findings as a queryable output.
Facts on this page come from the live Trickest tool library.