Reverse Proxy

HTTP Request Smuggling

The front and back proxies disagree on how to parse `Content-Length` vs `Transfer-Encoding`, opening a CL.TE desync that smuggles a hidden second request.

CWE-444
Back to hub Reload scenario
Smuggling demo 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Front-end uses `Content-Length`; back-end honors `Transfer-Encoding: chunked`.
  • Smuggled prefix becomes the next victim request on the keep-alive connection.
  • Admin endpoints are reachable only via the back-end, so smuggling lets attackers hit them.
    • 
        

      


      

      

        
Signals

        
        

          
Headers

          
Content-Length: 6
Transfer-Encoding: chunked
0

GET /admin/internal HTTP/1.1

        

        
      

    


    
    

      

        
Notes

        
    
          
  • This is a calibration emulation; the live HTTP server here does not actually desync.
    • 
        

      

    

    

    

      Developed by vibe-eval.com for validation and testing purposes only.