The HTTP Smuggling technique is performed by sending multiple specially crafted HTTP requests that cause two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.

Overview:
The HTTP Smuggling technique is performed by sending multiple specially crafted HTTP requests that cause two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
In web cache poisoning attack, this smuggled request will trick the cache server into unintentionally associate a URL to another URL's page (content), and caching this content for the URL.
In the web application firewall attack, the smuggled request can be a worm (like Nimda or Code Red) or buffer overflow attack targeting the web server.
Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request into the flow, it allows the attacker to manipulate the web server's request/response sequencing which can allow for credential hijacking and other malicious outcomes.

Technical Details:
HTTP Request Smuggling ("HRS") is a new hacking technique that targets HTTP devices. Indeed, whenever HTTP requests originating from a client pass through more than one entity that parses them, there is a good chance that these entities are vulnerable to HRS. For the purposes of this paper, we demonstrate HRS in three common settings:
* a web cache (proxy) server deployed between the client and the web server (W/S);
* a firewall (F/W) protecting the W/S;
* a web proxy server (not necessarily caching) deployed between the client and the W/S.
HRS relies on similar techniques to those set out in previous white papers. However, unlike HTTP Splitting, for example, to be effective HRS does not require the existence of an application vulnerability, such as a vulnerable asp page on the W/S. Instead, it is capable of exploiting small discrepancies in the way HTTP devices deal with illegitimate or borderline requests. As a result, HRS can be used successfully in significantly more sites than many other attacks.

What damage can HRS inflict?
As we attempt to show, in the cache-server and W/S setting, an attacker can launch a smuggling attack in order to poison the cache server. Typically, the attacker can change the entries in the cache, so that an existing (and cacheable) page A would be cached under URL B. In other words, a client requesting page B would be served with the contents of page A. Obviously, this change of "wiring" could render a website totally unusable. Imagine what would happen if a site's homepage, http://SITE/ , always responds with the contents of http://SITE/request_denied.html. In sites that allow the client to upload his or her own HTML pages and/or images, the damage can be much worse since a hacker can point URLs in the site to his or her uploaded pages, effectively deforming the site.