## https://sploitus.com/exploit?id=E606D7F4-5FA2-5907-B30E-367D6FFECD89
# HTTP Request Smuggling Detection Tool
This repository contains a Python-based tool to detect HTTP Request Smuggling vulnerabilities, specifically targeting `CVE-2024-40725`. The tool attempts to exploit this vulnerability in Apache HTTP Server by sending crafted HTTP requests and analyzing the server's responses. The primary goal is to identify discrepancies in status codes or access behavior, such as bypassing restrictions on specific paths.
## Features
- Detect HTTP Request Smuggling vulnerabilities.
- Supports single URL testing and batch testing using a list of URLs.
- Allows custom wordlists for testing various endpoint paths.
- Stores output results in a log file for further analysis.
- Identifies cases where status codes differ before and after smuggling attempts (e.g., `403` โ `200`).
## Requirements
- Python 3.7+
- `requests` library
Install the required library using pip:
```bash
pip install requests
```
## Usage
### Single URL
Run the tool for a single URL:
```bash
python detect_http_smuggling.py -u https://example.com -w wordlist.txt -o output.log
```
### Batch URL Testing
Test multiple URLs from a file:
```bash
python detect_http_smuggling.py -l urls.txt -w wordlist.txt -o output.log
```
### Parameters
| Parameter | Description |
|-----------|------------------------------------------|
| `-u` | Target URL for testing |
| `-l` | File containing a list of target URLs |
| `-w` | Custom wordlist for endpoint fuzzing |
| `-o` | Output file for saving results |
## Example Output
```text
Target: https://example.com
Status Change Detected:
/admin 403 ---> /admin 200
Target: https://anotherexample.com
No vulnerability was detected.
```
## Credits
This tool was inspired by the work found in the following repository:
[https://github.com/TAM-K592/CVE-2024-40725-CVE-2024-40898/blob/ALOK/CVE-2024-40725.py#L21](https://github.com/TAM-K592/CVE-2024-40725-CVE-2024-40898/blob/ALOK/CVE-2024-40725.py#L21)
## Disclaimer
This tool is intended for educational purposes and authorized security testing only. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal and unethical. Use responsibly.