International Cyber Expo International Cyber Expo
  • About Us
Saturday, 18 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

What is HTTP Request Smuggling and HTTP/2 Downgrading?

Q&A interview with Love Andren, Junior Application Security Auditor, Ghostlabs AppSec at Outpost24

by The Gurus
February 1, 2024
in Editor's News, Opinions & Analysis
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks
Share on FacebookShare on Twitter

Have you heard of the term HTTP Request Smuggling? What about HTTP/2 Downgrading? Well, these are vulnerabilities that can be exploited by cybercriminals when there are issues between the front-end and back-end of websites. If left unresolved, these can result in some very dire consequences for any business. The IT Security Guru chatted with Love Andren, Junior Application Security Auditor, Ghostlabs AppSec at Outpost24, to understand more about this threat.

IT Security Guru (ISG) – What is HTTP Request Smuggling?

Love – An exploit that abuses the fact the web server allows two separate methods when calculating body length, Transfer-Encoding and Content-Length. If both are sent in a single request, it could cause either the front-end or back-end server to interpret the request incorrectly, causing a desync in the back-end server. When done correctly, it would let an attacker smuggle a second HTTP request inside the first one, the response would then be served to the person issuing the next request to the application.

The most common techniques are built around specifying the length of the request body to a value smaller than the actual request body is. This then causes either the front- or back-end server to believe the request ends at a certain point, and the remaining part of the body containing the malicious request, gets smuggled.

The impact ranges from hijacking sessions, bypassing access control to Cross site scripting attacks.

ISG – What is HTTP/2 Downgrading?

Love – While HTTP/2 is widely used, there are still legacy back-end server that exclusively use HTTP/1 since it is still new. Since a HTTP/2 request compared to HTTP/1 is similar when it comes to structure (not the way they are sent) it is straightforward process to convert the request to the others syntax. One main and important difference is that HTTP/2 does not have to specify the request bodies length, since the request/response is sent as bytes.

The problems start when the front-end server starts accepting headers it should not accept, specifying the length of the request. For instance, sending a HTTP/2 request to the application with a body containing another request, but specifying the body length to “0”, could cause front-end server to see it as two separate requests when converting to HTTP/1.1.

In turn, this reintroduces request smuggling in HTTP/2 scenarios.

ISG – Why do organizations/security teams need to be aware of these threats? What can it lead to?

Love – The main reason is the impact of a successful request smuggling attack, as mentioned earlier. The ones listed before all have catastrophic implications for a web application.

Another reason is because of the complexity of the exploit itself; it might be overlooked when planning or skipped to focus on more common and easy to execute exploits (such as XSS or authorization issues).

ISG – Do you think this threat will become more prominent in 2024 and beyond?

Love – Hard for me to say. I personally think that if security engineers get more familiar with this complex exploit, potential attacks could get mitigated. Same goes for ethical hackers and penetration tester, testing or being better at testing smuggling attacks could lead to happier customer.

ISG – How can request smuggling be mitigated?

Love – For HTTP/1 based request smuggling, only allow one of the two headers for determining the length and make sure that both front- and back-end servers are configured to use the same. Block ambiguous request and make sure to always check the body of the request despite what the length specifies.

For request smuggling introduced by HTTP/2 make sure that end-to-end HTTP/2 communication is enabled. If a legacy server is being used and it is necessary to use downgrading, then block requests containing the HTTP/1 headers specifying the body’s size. Another mitigation is blocking other techniques used in request smuggling attacks, such as CRLF sequence injections.

Tags: CybercybersecurityExploitHTTPVulnerabilityweb
ShareTweet
Previous Post

Salt Security Joins AWS Lambda Ready Program

Next Post

Is It Safe to Register on a Website With Your Facebook or Google Account?

Recent News

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

July 17, 2026
AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

July 16, 2026
Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

July 15, 2026
Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026

Eskenzi PR banner ad

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol