What happens when you tell a server to treat the Content-Length header as a hop-by-hop header and remove it? Request smuggling.

Hop-by-hop headers are those headers that are designed to be processed by the server currently handling the request, and not make their way to the final application server. This is useful for say a reverse proxy that might perform authentication and then pass some auth info along to the next service. You can tell the server what headers should be stripped from the request using the Connection header.

By sending Connection: Content-Length as a header, Akamai would indeed strip the Content-Length header and not pass it on. Leading to the next server (The Akami server that routes the requests to their real destination) reading the body as a new request. They demonstrate this with both a GET and OPTIONS request, interestingly though they don’t demonstrate it with a POST, and do not comment on it.

As request smuggling here on its own isn’t the most useful, the attack was weaponized as a cache poisoning attack. As the response to their smuggled request would be treated as the response to the next request they could obtain regional cache poisoning by making the caching server believe the response was the legitimate response, basically giving them control over the cached response to any Akamai hosted page.