Hunt HTTP request smuggling.
smugglex finds where front-end and back-end servers disagree on request boundaries. Timing-based, protocol-aware, and written in Rust.
Scan in one command.
One static binary. Point it at a target, or pipe in a list, and get structured findings back.
Also available via Cargo, Nix, Snap, and prebuilt binaries.
$ smugglex https://target.com [VULNERABLE] CL.TE - https://target.com (payload #3) Normal: 200 (45ms) | Attack: 200 (5023ms) [OK] TE.CL - https://target.com [OK] TE.TE - https://target.com [OK] H2C - https://target.com [VULNERABLE] H2 - https://target.com (h2-downgrade) [OK] CL-Edge - https://target.com # 2 vulnerable checks · exit code 1
Six ways servers disagree.
Each check targets one parser mismatch between the front-end and the back-end. Run the whole suite, or select with -c.
Content-Length says one thing, Transfer-Encoding says another. The classic desync, confirmed by timing.
HTTP/2 to HTTP/1.1 downgrade over real ALPN h2. Catches H2.CL and H2.TE.
Read the technique TE.CLTransfer-Encoding vs Content-Length. The mirror image of CL.TE.
Read TE.TETransfer-Encoding obfuscation. Over 40 header variants are tried.
Read H2CHTTP/2 cleartext upgrade smuggling against h2c-capable proxies.
Read CL-EdgeContent-Length edge cases. Malformed, duplicated and whitespace-padded length headers that slip past a validator but split at the next hop.
Read the techniqueTiming tells the truth.
No guessing from response bodies. smugglex measures how long the back-end takes to answer, then compares against a clean baseline.
Measure the baseline
It sends a few clean requests, three by default, and records how fast the server normally responds.
Send the payload
Then it delivers desync payloads crafted for each technique against the same endpoint.
Compare the timing
A reply that stalls past three times baseline, or a full second longer, means the parsers disagreed.
A five-second stall on a 45 ms endpoint is the signature of a smuggled request waiting on a body that never arrives.
Built for pipelines and agents.
Clean JSON on stdout, meaningful exit codes, and one batch envelope for every run. Drop smugglex into CI or an agent loop without scraping logs.
- Pure JSON on stdout. With
--json, only the document prints. Logs stay on stderr. - Batch envelope. A
results[]array plus a summary, even for a single target. - Composable. Pipe URLs in from any recon tool, pipe findings out to jq.
{
"smugglex_version": "0.2.0",
"results": [
{
"target": "https://target.com",
"checks": [ "..." ]
}
],
"summary": {
"total_targets": 12,
"vulnerable_targets": 3,
"total_checks": 84,
"vulnerable_checks": 5
}
}
More than a checklist.
Everything you need to go from a URL to a confirmed, reproducible desync.
Real HTTP/2
Speaks ALPN h2 on HTTPS targets to catch HTTP/2 to HTTP/1.1 downgrade smuggling.
Burp raw-request replay
--raw-request replays a captured request verbatim, so path and matrix payloads survive.
Fingerprint and fuzz
--fingerprint profiles proxies; --fuzz mutates payloads from a reproducible seed.
Exploitation modules
Go past detection with localhost-access, path-fuzz, smuggle, capture and reveal.
stdin pipeline
Pipe URLs from any recon tool, and use --exit-first for fast triage.
Single static binary
Rust, no runtime. Install with Homebrew, Cargo, Nix, Snap, or a prebuilt release.
Ship it before they smuggle it.
smugglex is open source and MIT licensed. Point it at a target and find the desync first.