HTTP Smuggling simulator / visualizer and command line generator.

Workbench for developing HTTP Smuggling / Desync exploits interactively and visually.

Inspired byRegexPal,revshells.com

• real time interactive colorization of request splits
• command line generator (netcat / socat for HTTPS)
• HTTP/2 support (ALPN Negotiation)
• ready to useTE.CL template
• ready to useCL.TE template
• ready to useCL.0 template
• ready to useH2.TE template
• ready to useH2.CL template
• ready to use "H2.WS Upgrade" template (slide 36 inthis deck)

• Support multiple requests in HTTP2 inputs
• As you can see the current UI does not look great. PRs welcome to improve the look & feel of the app.

The current payload template assumes HTTPS when used with HTTP/2. This is because as of writing, apparentlymitmproxy does not support prior-knowledge H2 connections. When I tried with Burp I got similar results so I assume it is also the same case.

If you want to use it without HTTPS, simply comment out the line that saysctx.wrap_socket in the script.