smuggles is an HTTP request smuggling scanner designed to be able to scan thousands of hosts in a single scan. It offers the following features:
- detection of CL.TE and TE.CL request smuggling using the time-based techniques described by James Kettle in his post HTTP Desync Attacks: Request Smuggling Reborn
- scan state saving and resumption
- generation of PoC requests to reproduce timeouts
- generation of Turbo Intruder scripts to exploit request smuggling issues
- random request ordering to allow for a large number of tests to be performed while keeping the traffic to each host low
- a large number of mutations of the
Transfer-Encoding
included in tests
With a properly configured $GOPATH
, you can run
go get -v github.com/danielthatcher/smuggles
smuggles accepts a list of URLs as target, one per line, on stdin and can be run without any arguments:
cat targets.txt | smuggles
smuggles will send a regular HTTP request to each target to determine what a normal response time for the target is, and then test different mutation of the Transfer-Encoding
header against each target to try and cause a timeout. CL.TE tests are performed before TE.CL tests to try and prevent accidental socket poisoning during the detection phase.
When run without any arguments, smuggles will try all mutations with each of the GET
, POST
, PUT
, and DELETE
HTTP methods. You can view the full list of mutations with smuggles -l
, and view an individual mutation with smuggles -m <mutation name>
. Note that this will output the raw bytes of the mutation, including control characters.
Mutations can be disabled by specifying the -d
flag one or more times, each time with a glob the of the mutation names to disable. For example, to disable all mutations which put bytes either side of the colon or which specify multiple values separated by a comma you would run
spydom -d 'comma-*' -d 'colon-*'
You can instead enable just a subset of mutations with the -e
flag, against used one or more times with a glob matching the mutations to enable as the argument. For example, to enable just the line prefix and the uppercase mutations, you would run
spydom -e 'lineprefix-*' -e uppercase
Similarly, custom methods can be specified with the -m
flag. For example, to only scan with GET
and POST
methods, you would run
spydom -m GET -m POST
Smuggles will output results similar to the following:
GET https://example.com CL.TE lineprefix-space
This means that a CL.TE timeout can be triggered with a request to https://example.com using the lineprefix-space
mutation of the Transfer-Encoding
header.
Timeout proof-of-concepts can be generated by running smuggles with the --poc
flag an supplying a line of smuggles' output. For example, you can generate a proof-of-concept for a CL.TE timeout to https://example.com using the lineprefix-space
mutation as follows:
$ smuggles --poc GET https://example.com CL.TE lineprefix-space
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
Connection: close
Content-Length: 4
1
Z
Q
You can also generate TurboIntruder scripts for exploitation in a similar fashion by specifying a template script with the --script
flag:
smuggles --script /path/to/script.py GET https://example.com CL.TE lineprefix-space
Sample template scripts can be found in the resources directory.