Protocol: Request smuggling¶

Identifier: request_smuggling

Scanner(s) Support¶

Description¶

Request smuggling happens when there's a mix-up between servers about how to process a single request. If a front-end proxy or load balancer and the backend server interpret a request differently, an attacker can sneak in malicious content that one server sees but the other misses. This makes it possible for them to bypass security checks, potentially leading to unauthorized actions, data leaks, or other dangerous outcomes. Developers often fall into the trap of not strictly validating requests or assuming the system's parts will handle requests exactly the same way, which means paying close attention to how HTTP headers and boundaries are parsed is key.

References:

• https://portswigger.net/web-security/request-smuggling
• https://en.wikipedia.org/wiki/HTTP_request_smuggling

Configuration¶

Example¶

Example configuration:

---
security_tests:
  request_smuggling:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.