Interactive Report: The HTTP/1.1 Desync Endgame

The Core Flaw: Ambiguous Boundaries

HTTP/1.1 is a text-based protocol where requests are sent one after another over the same connection. The problem is that there are multiple, conflicting ways to declare where one request ends and the next begins. When a front-end proxy and a back-end server disagree on this boundary, an attacker can "smuggle" malicious requests. This interactive diagram demonstrates how this "desync" occurs.

🖥️

Front-End Proxy

🗄️

Back-End Server

Request A

Request B

Smuggled

DESYNC!

The Attacker's Arsenal

As defenses for classic request smuggling were developed, attackers innovated. The research unveiled novel vectors that bypass modern mitigations by exploiting deeper, more obscure parts of the HTTP/1.1 specification, proving that patching symptoms doesn't fix the root cause.

CL.TE & TE.CL

The original techniques. An attacker sends a request with both `Content-Length` (CL) and `Transfer-Encoding` (TE) headers. If the front-end proxy and back-end server prioritize different headers, a desync occurs. While many systems now have basic defenses against this, subtle variations can still succeed.

Breaking the Deadlock

This attack was long considered theoretical. It creates a "deadlock" where both servers are waiting for each other, causing a timeout. The research proved it was practical by discovering "early-response gadgets" (like requesting a reserved filename on IIS) that make the back-end respond *before* reading the body, breaking the deadlock and enabling the attack.

A New Desync Primitive

The `Expect: 100-continue` header, designed for optimizing large uploads, is a "complexity bomb." Its implementation is so tricky in proxy chains that it can be abused to trigger desyncs on a massive scale. Even light obfuscation of this header was shown to bypass WAFs and compromise major CDNs, proving that signature-based defenses are inadequate.

The Blast Radius: Real-World Compromises

These are not theoretical vulnerabilities. The research demonstrated systemic flaws in core internet infrastructure, leading to significant bug bounty payouts and exposing millions of websites. This chart shows the bounties awarded for some of the key findings.

Akamai CDN

An `Expect`-based attack (CVE-2025-32094) led to 74 separate bounty reports totaling over $221,000. It allowed serving arbitrary content to users of sites like `auth.lastpass.com`.

Cloudflare

An internal desync exposed over 24 million websites to potential takeover. A single flaw in the infrastructure had a catastrophic blast radius.

Netlify CDN (The Paradox)

A critical Response Queue Poisoning flaw allowed hijacking responses from any other website on the platform, yet was deemed "out of scope" of the bug bounty program, highlighting a dangerous blind spot.

Gitlab

A desync on a bug bounty server was used to steal a video of an unpatched zero-day vulnerability, demonstrating the potential for corporate espionage.

T-Mobile

A desync vulnerability on a staging domain was still considered critical enough to be awarded a $12,000 bounty, showing the perceived risk even in non-production environments.

AWS (Compatibility Debt)

A known desync in AWS ALB + IIS was intentionally not patched to maintain compatibility with "ancient" clients, demonstrating how "compatibility debt" perpetuates insecurity for all customers.

The Only Solution: Protocol Migration

Patching individual vulnerabilities is a losing battle. The research concludes that HTTP/1.1 is irredeemable. The only real fix is to adopt HTTP/2, which is structurally immune to this entire class of attacks due to its deterministic, binary framing layer.

HTTP/1.1: Fatally Flawed

Text-based and lenient
Ambiguous request boundaries
Multiple, competing length specifiers (CL, TE)
Prone to parser discrepancies
Vulnerable by design in proxy chains

HTTP/2: Structurally Secure

Binary and strict
Deterministic message framing
Single, explicit length field per frame
No room for interpretation
Immune to desync attacks by design

Critical Warning: The Danger of Downgrading

Configuring your front-end to accept HTTP/2 but then downgrading to HTTP/1.1 to talk to your back-end is more dangerous than using HTTP/1.1 end-to-end. This process introduces a new, potent desync vector (H2.TE) and gives a false sense of security. End-to-end HTTP/2 is the only safe configuration.

Your Call to Action

Securing the web requires a collective effort. The evidence is clear: the time has come to plan the end of HTTP/1.1 for all server-to-server communication. Here are actionable recommendations for different roles.

Prioritize Detection: Use modern tools like HTTP Request Smuggler v3.0 that can find novel desync patterns. Standard scanners will miss them.
Shift to Architecture: Accept that perfect prevention is impossible in HTTP/1.1. Focus on architectural change over chasing WAF rules.
Enhance Monitoring: Watch for symptoms of desync attacks, like spikes in `400` or `502` errors and unexplained connection timeouts.

Mandate Upstream HTTP/2: The most effective control. Make end-to-end HTTP/2 a core security requirement in all architectural reviews.
Audit Your Supply Chain: Vigorously question your CDN and cloud vendors. Do they downgrade to HTTP/1.1? Demand transparency and proof of protection.
Refuse "Compatibility Debt": Don't let the need to support ancient, broken clients dictate your security posture. Push for modern standards.

Accelerate Deprecation: The industry must collectively phase out HTTP/1.1 for server-to-server communication.
Provider Responsibility: Cloud and CDN providers must lead the migration, making end-to-end HTTP/2 the default, secure option.
Communicate Timelines: Providers should develop and announce clear timelines for the full deprecation of upstream HTTP/1.1 support.

The Web's Foundation is Broken