Skip to content

refactor(inpv-15, inpv-16): separate and modernize response splitting and request smuggling guides #1314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Galaxy-sc wants to merge 8 commits into
base: master
Choose a base branch
from
Open

refactor(inpv-15, inpv-16): separate and modernize response splitting and request smuggling guides #1314

Galaxy-sc wants to merge 8 commits into from

Conversation

@Galaxy-sc
Copy link
Contributor

@Galaxy-sc Galaxy-sc commented Feb 10, 2026

This PR covers issue #1307.

  • This PR handles the issue and requires no additional PRs.
  • You have validated the need for this change.

What did this PR accomplish?

  • Modernized & Decoupled WSTG-INPV-15: - Refactored section 4.7.15 to focus exclusively on HTTP Response Splitting (CRLF Injection).

    • Removed outdated legacy smuggling examples to ensure clear separation of concerns.
    • Updated the content to reflect modern attack scenarios and added a dedicated Remediation section.

  • Overhauled WSTG-INPV-16: - Renamed from "Testing for HTTP Incoming Requests" to "Testing for HTTP Request Smuggling".

    • Replaced the legacy proxy tooling guide (which was out of scope for Input Validation) with a comprehensive guide on HTTP Request Smuggling.
    • Added detailed testing methodologies for CL.TE, TE.CL, TE.TE, HTTP/2 Downgrade, and H2C Smuggling.

Thank you!

@Galaxy-sc
Rename and modernize HTTP Response Splitting section
6004534 
- Renamed 4.7.15 from 'HTTP Splitting Smuggling' to 'HTTP Response Splitting' to decouple it from Request Smuggling.
- Modernized the content of WSTG-INPV-15.
- Updated Table of Contents and all internal links throughout the project to point to the new filename.
@Galaxy-sc
repurpose section for HTTP Request Smuggling
48a487e 
- Replaced legacy 'Testing for HTTP Incoming Requests' (which was a proxy tooling guide) with a dedicated 'Testing for HTTP Request Smuggling' guide.
- Added methodologies for detecting CL.TE, TE.CL, TE.TE, H2C, and HTTP2 Downgrade Smuggling.
- Renamed file to reflect the new scope.
- Updated Table of Contents and all internal links throughout the project to point to the new filename.
- Closes OWASP#1307
@Galaxy-sc
Fix formatting of long payload strings
2fae3de
@Galaxy-sc
Add remediation strategies for HTTP Response Splitting
04dd290
@Galaxy-sc
Fix markdown heading hierarchy
48be178
@Galaxy-sc
Add missing Tools section
9979a93
@Galaxy-sc
Resolve conflict: remove legacy file
244c621
@Galaxy-sc
Fix duplicate files: remove legacy Splitting_Smuggling file
78e10e4
@github-actions
Copy link

github-actions bot commented Feb 10, 2026

The following links are broken:
FILE:base/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Response_Splitting.md
[❌] https://web.archive.org/web/20210816212852/https://www.cgisecurity.com/lib/http-request-smuggling.pdf → Status: 0

@Galaxy-sc
Copy link
Contributor Author

Galaxy-sc commented Feb 10, 2026

@kingthorin The link checker failed on the Archive.org URL for "HTTP Request Smuggling" (cgisecurity.com), likely due to a timeout or bot protection. I've verified manually that the link is valid and accessible. This appears to be a false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Galaxy-sc