Skip to content
Java Python Other
Branch: master
Clone or download
Latest commit 694dcdf Aug 14, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
resources Make finding names less cryptic Jul 30, 2019
src/burp Bump version Aug 14, 2019
BappDescription.html Release. Aug 1, 2019
BappManifest.bmf Bump version Aug 14, 2019 Update readme Aug 14, 2019
build.gradle Release. Aug 1, 2019 Release. Aug 1, 2019

HTTP Request Smuggler

This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities, and also aids exploitation by handling cumbersome offset-tweaking for you.


The easiest way to install this is in Burp Suite, via Extender -> BApp Store.

If you prefer to load the jar manually, in Burp Suite (community or pro), use Extender -> Extensions -> Add to load build/libs/http-request-smuggler-all.jar


  • Turbo Intruder is a dependency of this project, add it to the root of this source tree as turbo-intruder-all.jar
  • Build with gradle fatJar


Right click on a request and click 'Launch Desync probe', then watch the extension's output pane under Extender->Extensions->HTTP Request Smuggler

If you're using Burp Pro, any findings will also be reported as scan issues.

For more advanced use watch the video.


We've released free online labs to practise against.

You can’t perform that action at this time.