Nessus Plugin “HTTP Smuggling Detection” failing due to support for http/1.1 – how to overcome?


According to here, this issue will show up if you have paranoia enabled. Did you purposefully enable paranoid scans?

Paranoid scans turn up with a lot of weird plugins like these. Another example of paranoia false positives I have seen was something along the lines of “Port 4444 is open, therefore there is a backdoor on this machine,” which isn’t necessarily true.

If you do need paranoia set to On, next, you then need to verify the validity of this plugin. In that case, I would recommend using Burp Suite (community edition is fine) and then running the HTTP Smuggler addon against your “vulnerable” host. It will do a much more thorough test on it than Nessus will.

Should you discover that your host IS vulnerable, then you should investigate patching your application. Generally speaking, this is not an issue with your code — it is almost always a vendor patch for a web server or web appliance. Note that, due to how HTTP Request Smuggling works, you also may need to investigate and patch all other infrastructure which is attached to that application. Namely, that would probably be a load balancer or some type of middleware.