https://az0th.it/web/request/ Recent content in Request Smuggling & Cache on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/090-request-http1-smuggling/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/090-request-http1-smuggling/ <h1 id="http-request-smuggling-h1-clte--tecl--tete">HTTP Request Smuggling (H1): CL.TE / TE.CL / TE.TE</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-444 <strong>OWASP</strong>: A05:2021 – Security Misconfiguration <strong>PortSwigger Research</strong>: <a href="https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn">https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn</a></p> </blockquote> <hr> <h2 id="what-is-http-request-smuggling">What Is HTTP Request Smuggling?</h2> <p>Modern web architectures use a <strong>chain of HTTP processors</strong>: a frontend (CDN, load balancer, reverse proxy) that forwards requests to a backend server. These processors must agree on where each HTTP request ends and the next begins.</p> <p>HTTP/1.1 allows two ways to specify body length:</p> https://az0th.it/web/request/092-request-http2-rapidreset/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/092-request-http2-rapidreset/ <h1 id="http2-rapid-reset-cve-2023-44487">HTTP/2 Rapid Reset (CVE-2023-44487)</h1> <blockquote> <p><strong>Severity</strong>: High (DoS) | <strong>CWE</strong>: CWE-400 <strong>OWASP</strong>: A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-is-http2-rapid-reset">What Is HTTP/2 Rapid Reset?</h2> <p>HTTP/2 Rapid Reset is a DoS amplification technique that exploits the HTTP/2 stream multiplexing mechanism. In HTTP/2, a client can open multiple concurrent streams on a single TCP connection and cancel them immediately with a <code>RST_STREAM</code> frame — before the server has finished processing them.</p> <p>The attack pattern:</p> <ol> <li>Client sends <code>HEADERS</code> frame (initiates a request on stream N)</li> <li>Client immediately sends <code>RST_STREAM</code> frame (cancels stream N)</li> <li>Repeat at high rate — the server must still process each HEADERS frame before seeing the reset</li> </ol> <p>The server incurs full request parsing and dispatch cost per stream. The client incurs almost none — it resets before receiving any response. This asymmetry is the amplification vector.</p> https://az0th.it/web/request/091-request-http2-smuggling/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/091-request-http2-smuggling/ <h1 id="http2-request-smuggling">HTTP/2 Request Smuggling</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-444 <strong>OWASP</strong>: A02:2021 – Cryptographic Failures / A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-is-http2-smuggling">What Is HTTP/2 Smuggling?</h2> <p>HTTP/2 uses a binary framing layer with explicit frame lengths — there is <strong>no Content-Length or Transfer-Encoding ambiguity within a true HTTP/2 connection</strong>. Smuggling occurs at the <strong>H2→H1 downgrade boundary</strong>: a front-end proxy accepts HTTP/2 but forwards to a back-end over HTTP/1.1. Two main attack variants:</p> <pre tabindex="0"><code>H2.CL — Front-end ignores HTTP/2 framing length, uses attacker-supplied Content-Length to forward to backend. Backend processes CL but sees extra bytes as a new request. H2.TE — Front-end strips Transfer-Encoding header received in H2, but attacker-supplied TE header survives downgrade. Backend sees chunked encoding → processes smuggled prefix. H2.0 — HTTP/2 cleartext (h2c) upgrade smuggling (CONNECT-based tunnel abuse) </code></pre><p>Key difference from H1 smuggling: HTTP/2 headers are <strong>pseudo-headers</strong> (<code>:method</code>, <code>:path</code>, <code>:scheme</code>, <code>:authority</code>) — injecting newlines in header values can create entirely new HTTP/1.1 headers after downgrade.</p> https://az0th.it/web/request/094-request-cache-deception/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/094-request-cache-deception/ <h1 id="web-cache-deception">Web Cache Deception</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-200, CWE-346 <strong>OWASP</strong>: A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-is-web-cache-deception">What Is Web Cache Deception?</h2> <p>Unlike cache poisoning (attacker poisons cache to affect other users), <strong>cache deception</strong> tricks the cache into storing a <strong>victim&rsquo;s private, authenticated response</strong> as a public, cacheable resource — then the attacker retrieves it.</p> <pre tabindex="0"><code>Normal: GET /account/profile → private, authenticated → Cache-Control: no-store Trick: GET /account/profile.css → server ignores .css, serves profile page CDN caches because .css extension → marked as static asset Attacker: GET /account/profile.css → CDN returns cached victim profile </code></pre><p><strong>Key requirement</strong>: path routing that ignores the appended path/extension, combined with a cache that uses file-extension-based caching rules.</p> https://az0th.it/web/request/093-request-cache-poisoning/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/request/093-request-cache-poisoning/ <h1 id="web-cache-poisoning">Web Cache Poisoning</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-346, CWE-116 <strong>OWASP</strong>: A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-is-web-cache-poisoning">What Is Web Cache Poisoning?</h2> <p>A cache stores responses keyed by URL + headers. Poisoning works by injecting malicious content into a <strong>cached response</strong> that is then served to all users requesting the same URL. Key concept: <strong>cache key</strong> (what identifies a unique cache entry) vs <strong>unkeyed inputs</strong> (headers/params that affect the response but aren&rsquo;t in the cache key).</p>