Infrastructure Testing (/test-infra)¶
Tests infrastructure-level vulnerabilities based on James Kettle's cutting-edge research: HTTP request smuggling (including HTTP/2 variants, H2C smuggling, TE.0, hop-by-hop abuse), web cache poisoning, web cache deception, HTTP host header attacks, and server misconfiguration. These techniques have earned $500K+ in bug bounties.
Scope Routing¶
| Scope | Sections | Focus |
|---|---|---|
smuggling |
A (A1-A7) + F (F1-F2) | All HTTP request smuggling variants: CL.TE / TE.CL timing probes, HTTP/2 detection, H2C smuggling (proxy bypass), TE.0 (Google Cloud), hop-by-hop header abuse (Akamai), response queue poisoning, HTTP/2 advanced techniques |
cache |
B (B1-B4) + C (C1-C3) + D (D1-D3) + E (E1-E6) | Web cache poisoning (unkeyed headers/params, fat GET, path normalization), web cache deception, host header attacks (password reset, routing), security misconfiguration (LFI, NGINX X-Accel-Redirect, directory traversal) |
Coverage¶
Request Smuggling¶
- CL.TE / TE.CL Detection -- Timing-based detection (safe) measuring response time differential when Content-Length and Transfer-Encoding disagree.
- HTTP/2 Support Detection -- Informational check for HTTP/2 capability.
- H2C Smuggling -- HTTP/2 cleartext upgrade to bypass reverse proxy access controls, WAF rules, and IP restrictions (PortSwigger Top 10 2020 #1).
- TE.0 Detection -- Transfer-Encoding with number prefix, affected thousands of Google Cloud sites (PortSwigger Top 10 2024 #3).
- Hop-by-Hop Header Abuse -- Connection header stripping of security-relevant headers (PortSwigger Top 10 2022 #7, affected Akamai worldwide).
- Response Queue Poisoning -- Escalating header injection (CRLF) to Critical by causing the server to return another user's response to the attacker.
Cache Poisoning and Deception¶
- Unkeyed Header Poisoning -- Injecting malicious content via headers not included in the cache key (X-Forwarded-Host, X-Forwarded-Proto, X-Original-URL).
- Unkeyed Parameter Poisoning -- Parameters excluded from cache key that affect response content.
- Fat GET Poisoning -- GET requests with request bodies that poison cache responses.
- Path Normalization Poisoning -- Exploiting path normalization differences between cache and origin.
- Web Cache Deception -- Tricking cache into storing authenticated responses by appending static file extensions.
- Host Header Attacks -- Password reset poisoning, cache poisoning via Host header, routing-based SSRF.
Security Misconfiguration¶
- LFI/Path Traversal -- Directory traversal payloads against file-serving endpoints.
- NGINX X-Accel-Redirect -- Exploiting NGINX internal redirect headers.
- Directory Listing -- Exposed directory indexes.
- Security Headers -- Missing or misconfigured security headers (HSTS, CSP, X-Content-Type-Options).
- TLS/SSL Configuration -- Certificate issues, weak cipher suites, protocol version support.
Key Sections¶
| Section | ID | Description |
|---|---|---|
| CL.TE / TE.CL Timing | A1 | Safe timing-based detection measuring response time differential. Detection-only, no exploitation. |
| HTTP/2 Detection | A2 | Informational HTTP/2 support check. |
| H2C Smuggling | A2b | HTTP/2 cleartext upgrade for proxy bypass (BishopFox h2csmuggler). |
| TE.0 Detection | A3 | Malformed Transfer-Encoding with number prefix (Google Cloud vuln). |
| Hop-by-Hop Abuse | A4 | Connection header stripping of auth/security headers. |
| Response Queue Poisoning | A5 | CRLF escalation to cross-user response leakage. |
| Cache Poisoning | B1-B4 | Unkeyed headers (B1), unkeyed params (B2), fat GET (B3), path normalization (B4). |
| Cache Deception | C1-C3 | Static extension appending, path confusion, cache rule exploitation. |
| Host Header Attacks | D1-D3 | Password reset poisoning (D1), routing-based SSRF (D2), cache poisoning (D3). |
| Security Misconfiguration | E1-E6 | LFI (E1), NGINX X-Accel-Redirect (E2), directory listing (E3), security headers (E4), TLS (E5), server info disclosure (E6). |
| HTTP/2 Advanced | F1-F2 | Advanced HTTP/2 desync techniques. |
Model and Thinking Budget¶
| Component | Model | Rationale |
|---|---|---|
| Request smuggling | Sonnet | Systematic timing-based probing with clear detection criteria |
| Cache poisoning | Sonnet | Methodical header/parameter fuzzing |
| Host header | Sonnet | Procedural testing |
| Misconfiguration | Sonnet | Standard check patterns |
Kill Switch¶
| Limit | Value |
|---|---|
| Timeout | 45 minutes |
| Max requests | 500 (warning at 400) |
| Cache buster | Unique cache buster on every poisoning test |
AI Decision Points¶
One primary [AI-DECISION] marker:
- Architecture Detection (A) -- Determine front-end/back-end server combination from response headers. Select CL.TE vs TE.CL vs HTTP/2 desync testing based on detected architecture (e.g., HAProxy+Apache = CL.TE, Nginx+Gunicorn = TE.CL).
Dangerous Mode Gate¶
Request Smuggling requires --dangerous flag
Section A (HTTP Request Smuggling) is gated behind the --dangerous flag. Even timing-based probes can occasionally desynchronize connections on vulnerable production servers. Without the flag, smuggling tests are skipped and the skill proceeds directly to cache and misconfiguration testing.
Knowledge Packs and Cheatsheets¶
| Resource | Path |
|---|---|
| Request smuggling knowledge | helpers/knowledge-smuggling.md |
| Cache poisoning knowledge | helpers/knowledge-cache-poison.md |
| Smuggling cheatsheet | helpers/cheatsheet-smuggling.md |
| Cache cheatsheet | helpers/cheatsheet-cache.md |
| Research terms | helpers/research-terms.md |
External payload files: PayloadsAllTheThings request smuggling payloads, cache deception payloads, directory traversal intruder lists, SecLists LFI wordlists (Jhaddix, Linux, Windows), CRLF injection intruder lists.
Safety¶
Production Safety Warnings
- Request Smuggling -- Can desynchronize other users' connections. Detection-only via timing. Never send exploitation payloads.
- Cache Poisoning -- Can serve malicious content to ALL real users. Ask user before every test. Always use unique cache busters.
- Cache Deception -- Safer than poisoning but still caches real user data. Ask user first.
- Host Header -- Can poison password reset emails to real users. Never test with real user emails.
TE obfuscation, CL.0, and browser-powered desync tests are intentionally omitted from automation because they risk desynchronizing connections for real users. If timing probes are positive, the finding is reported with a recommendation to test on staging with Burp Suite's HTTP Request Smuggler extension.