HTTP/1.1 must die: the desync endgame
17 days ago
- #web-security
- #HTTP/1.1-vulnerabilities
- #HTTP-desync
- HTTP/1.1 is inherently insecure and exposes websites to hostile takeover via HTTP desync attacks.
- Novel classes of HTTP desync attacks can compromise user credentials on millions of websites, including those using Akamai, Cloudflare, and Netlify.
- An open-source toolkit for detecting parser discrepancies has been developed, yielding over $200,000 in bug bounties in two weeks.
- HTTP request smuggling is a fundamental protocol flaw in HTTP/1.1, and minor implementation bugs can have severe security consequences.
- HTTP/2+ solves the desync threat, but many servers downgrade HTTP/2 to HTTP/1.1 upstream, reintroducing vulnerabilities.
- Expect header manipulation can trigger 0.CL and CL.0 desync vulnerabilities, leading to critical exploits like Response Queue Poisoning (RQP).
- Case studies demonstrate real-world exploits, including a $12,000 bounty from T-Mobile and a $7,000 bounty from GitLab.
- Upstream HTTP/2 is the recommended solution, but many vendors still lack support, leaving websites vulnerable.
- Mitigations like request normalization and strict parsing can help, but the ultimate fix is abandoning HTTP/1.1.