https://atosh502.github.io/tags/http/1.1/Recent content in Http/1.1 on Aashutosh PoudelHugoen-USCopyright © \b20\d{2}\b, Aashutosh Poudel.Wed, 25 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/http/1.1-desync-attacks/Wed, 25 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/http/1.1-desync-attacks/<ul> <li>isolation between individual http requests is fundamentally broken in http/1.1 <ul> <li>no reliable way to say when one request finishes and next request starts</li> <li>multiple ways to specify request length + requests are concatenated under single connection without delimiters</li> </ul> </li> <li><a href="https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/#what-is-request-smuggling">request smuggling</a> <ul> <li>between client and application servers, request passes through multiple components such as load balancers, reverse proxies, etc.</li> <li>HTTP request parsers inconsistency: an attacker can craft a request that one component sees as complete, but the other continues to parse into a second, malicious request made on the same connection.</li> <li>the malicious request could inject headers and its URL into a subsequent valid request sent on the same connection.</li> </ul> </li> </ul> <p>Links</p>