A critical vulnerability exists in the HTTP/1.1 protocol that could expose tens of millions of websites to malicious takeover risks through complex desynchronization attacks. This foundational protocol flaw, present for decades, creates extremely blurred request boundaries, allowing attackers to manipulate network traffic and compromise entire infrastructures.Part01
Analysis of the Critical Vulnerability in HTTP/1.1
A report by PortSwigger indicates that this vulnerability demonstrates that HTTP request smuggling attacks can bypass security measures that vendors have deployed for years.
These desync attacks exploit inherent flaws in the HTTP/1.1 message parsing mechanism. Attackers construct malicious requests by manipulating the Content-Length header and differences in Transfer-Encoding: chunked encoding, causing discrepancies in parsing between reverse proxies and backend servers.
The impact of HTTP request smuggling attacks is severe. Research shows that a single malicious HTTP request can lead to a website being unable to recognize the correspondence between responses and users, resulting in significant leakage of confidential information and even allowing users to randomly log into other active accounts.
More seriously, attackers can inject malicious JavaScript to contaminate website caches, thereby gaining persistent control over webpage content and stealing passwords and credit card information. This vulnerability affects the core infrastructure of multiple content delivery networks (CDNs), and despite vendors’ ongoing attempts to fix it over the past six years, millions of websites remain exposed to risk.
Security experts emphasize that simply encapsulating HTTP/1.1 within HTTPS does not defend against such attacks, as the vulnerability exists at the protocol layer rather than the encryption layer.
Part02
Deploying HTTP/2 Upstream Connections
The fundamental solution to this vulnerability requires migrating to HTTP/2 upstream connections between reverse proxies and origin servers. HTTP/2 eliminates the ambiguity that leads to desynchronization attacks through explicit message boundaries and binary framing mechanisms.
However, merely enabling HTTP/2 on the client side is not sufficient; HTTP/2 must also be used in upstream connections on backend servers to fully mitigate the attack.
For organizations unable to immediately deploy HTTP/2 upstream connections, researchers recommend the following temporary measures:
- Use the open-source tool HTTP Request Smuggler v3.0 to detect vulnerabilities
- Enable request validation and normalization features
- Consider disabling upstream connection reuse (though this may impact performance)
Part03
Mainstream Vendors Still Need Time to Fix the Vulnerability
Currently, mainstream vendors including nginx, Akamai, CloudFront, and Fastly have not yet supported HTTP/2 upstream connections, meaning that millions of websites will remain exposed until the necessary upgrades are completed on the relevant platforms.
Editor: Chen Shijiu
Reviewer: Shang Mijun
Call for Papers
Hello everyone, in order to better promote academic exchanges within the industry, Shang Mijun is now launching a call for papers. If you have unique insights and ideas on commercial cryptography, network security, data encryption, etc., please actively submit your work to Shang Mijun, who will ensure your voice reaches more people.
Click to purchase the “2023-2024 China Commercial Cryptography Industry Development Report”
Source:FreebufNote: All content is sourced from the internet, and copyright belongs to the author. If there is any infringement, please contact us, and we will handle it promptly.

Share
Like
View