HTTP Request Smuggling exploits the discrepancy in parsing non-RFC-compliant HTTP requests between two HTTP devices (typically a front-end proxy or HTTP-enabled firewall and a backend server). The HTTP Request Smuggling technique is performed by sending multiple specially crafted HTTP requests that cause two attacked entities to see two different sets of requests.
HTTP Request Smuggling enables an attacker to send one set of requests to the second device while the first device interacts on a different set of requests. The hacker is “smuggling” a request to one device without the other device being aware of it.
This facilitates several possible exploits, such as partial cache poisoning, bypassing firewall protection, and cross-site scripting (XSS).