Proposal: HTTP Request Smuggling via Conflicting Content-Length and Transfer-Encoding Headers (CL.TE / TE.CL attack patterns)

[yukta31]

As part of our coursework in ISA-681, my teammate and I would like to work on a case study focused on HTTP Request Smuggling, particularly attacks that take advantage of inconsistencies in how systems interpret the Content-Length and Transfer-Encoding headers.
This vulnerability is interesting because it doesn’t rely on a single system being broken. Instead, it happens when different components in a request chain, such as a front-end proxy and a back-end server interpret the same HTTP request differently. This mismatch can allow an attacker to sneak in an extra request that bypasses normal security checks.
In our case study, we plan to explain how these attacks work in practice, including common patterns like CL.TE and TE.CL. We will also look at how attackers use these techniques to interfere with request handling, and what kind of impact this can have in real-world systems.
A major focus of our work will be on prevention. We want to clearly show what developers and system designers can do to avoid this class of vulnerability, such as enforcing consistent request parsing, rejecting ambiguous inputs, and configuring servers and proxies to handle headers in a predictable way.
After reviewing the existing case studies and the current issue tracker, we did not find this topic already covered or proposed. We plan to proceed with this case study unless there are any concerns.

[abuttner]

Is there a specific known vulnerability you want to focus on? What is the CVE number? Please look at your topic and make sure you can focus on a coding mistake made by a developer. Each case study is supposed to walk the reader through the mistake line by line and show what happened. Then show how it could be exploited and how the developer fixed the issue. I am concerned by your topic that your current focus is more on an attack technique.