HTTP desync scanner

Hunt HTTP request smuggling.

smugglex finds where front-end and back-end servers disagree on request boundaries. Timing-based, protocol-aware, and written in Rust.

Scan in one command.

One static binary. Point it at a target, or pipe in a list, and get structured findings back.

$ brew install hahwul/smugglex/smugglex

Also available via Cargo, Nix, Snap, and prebuilt binaries.

smugglex
$ smugglex https://target.com

[VULNERABLE] CL.TE - https://target.com (payload #3)
  Normal: 200 (45ms) | Attack: 200 (5023ms)
[OK] TE.CL - https://target.com
[OK] TE.TE - https://target.com
[OK] H2C - https://target.com
[VULNERABLE] H2 - https://target.com (h2-downgrade)
[OK] CL-Edge - https://target.com

# 2 vulnerable checks · exit code 1

Timing tells the truth.

No guessing from response bodies. smugglex measures how long the back-end takes to answer, then compares against a clean baseline.

Measure the baseline

It sends a few clean requests, three by default, and records how fast the server normally responds.

Send the payload

Then it delivers desync payloads crafted for each technique against the same endpoint.

Compare the timing

A reply that stalls past three times baseline, or a full second longer, means the parsers disagreed.

clean baseline45 ms
CL.TE payload5023 ms

A five-second stall on a 45 ms endpoint is the signature of a smuggled request waiting on a body that never arrives.

Built for pipelines and agents.

Clean JSON on stdout, meaningful exit codes, and one batch envelope for every run. Drop smugglex into CI or an agent loop without scraping logs.

  • Pure JSON on stdout. With --json, only the document prints. Logs stay on stderr.
  • Batch envelope. A results[] array plus a summary, even for a single target.
  • Composable. Pipe URLs in from any recon tool, pipe findings out to jq.
0clean, no smuggling found
1at least one vulnerable check
2usage or input error
report.json
{
  "smugglex_version": "0.2.0",
  "results": [
    {
      "target": "https://target.com",
      "checks": [ "..." ]
    }
  ],
  "summary": {
    "total_targets": 12,
    "vulnerable_targets": 3,
    "total_checks": 84,
    "vulnerable_checks": 5
  }
}

More than a checklist.

Everything you need to go from a URL to a confirmed, reproducible desync.

Real HTTP/2

Speaks ALPN h2 on HTTPS targets to catch HTTP/2 to HTTP/1.1 downgrade smuggling.

Burp raw-request replay

--raw-request replays a captured request verbatim, so path and matrix payloads survive.

Fingerprint and fuzz

--fingerprint profiles proxies; --fuzz mutates payloads from a reproducible seed.

Exploitation modules

Go past detection with localhost-access, path-fuzz, smuggle, capture and reveal.

stdin pipeline

Pipe URLs from any recon tool, and use --exit-first for fast triage.

Single static binary

Rust, no runtime. Install with Homebrew, Cargo, Nix, Snap, or a prebuilt release.

Ship it before they smuggle it.

smugglex is open source and MIT licensed. Point it at a target and find the desync first.