README.md

June 7, 2026 · View on GitHub

SmuggleX Logo

Rust-powered HTTP Request Smuggling Scanner.

Overview

Smugglex is a security testing tool that detects HTTP Request Smuggling vulnerabilities in web applications. It tests for CL.TE, TE.CL, TE.TE, H2C, and H2 smuggling attacks, and — on HTTPS targets — speaks real HTTP/2 (ALPN h2) to detect HTTP/2→HTTP/1.1 downgrade smuggling (H2.CL / H2.TE) via the h2-downgrade check.

For detailed documentation, visit smugglex.hahwul.com.

Installation

Homebrew (macOS and Linux)

brew install hahwul/smugglex/smugglex

Build from Source

Requires Rust 1.70 or later:

git clone https://github.com/hahwul/smugglex
cd smugglex
cargo install --path .

For other installation methods, see Installation Guide.

Usage

Basic scan:

smugglex https://target.com

Read URLs from stdin:

cat urls.txt | smugglex

Replay a captured request (e.g. exported from Burp Suite) as the request template:

smugglex --raw-request request.txt              # target taken from the Host header
smugglex --raw-request request.txt --raw-request-proto http
smugglex --raw-request request.txt -H "X-Collab: abcd.oastify.com"  # -H is additive

The captured request-target is sent verbatim — dot-segments, matrix params and # are preserved, not normalized — for both origin-form (POST /path ...) and absolute-form (GET http://...) request lines, so path-based payloads survive. Any -H headers are merged on top of the captured ones.

For detailed usage and options, see Usage Guide.

Examples

smugglex https://target.com -v -o results.json
cat urls.txt | smugglex --exit-first

For AI Agents, Scripts & CI

smugglex is designed to be friendly to automated usage:

# Clean JSON output (only JSON on stdout) + proper exit code
smugglex --json https://target.com
echo $?   # 0 = clean, 1 = vulnerable found

# Batch + structured output (single valid JSON document)
cat urls.txt | smugglex -f json -o report.json

# Quiet + JSON for pipelines
smugglex -q --json https://target.com | jq '.summary.vulnerable_targets'

Exit codes:

  • 0 — No vulnerabilities found
  • 1 — At least one vulnerability found
  • 2 — Usage / input error

See the Pipeline Guide and Output Formats for more.

Troubleshooting

Common issues and solutions are available in the Troubleshooting Guide.

References