HTTP1.1 必须消亡！同步终结篇.pdf

《HTTP1.1 必须消亡！同步终结篇.pdf》由会员分享，可在线阅读，更多相关《HTTP1.1 必须消亡！同步终结篇.pdf（50页珍藏版）》请在三个皮匠报告上搜索。

1、the desync endgameJames KettleJames KettleHTTP/1.1HTTP/1.1Must Die!Must Die!Use HTTP/2 hereFront-endBack-endHTTP/1s fatal flaw:where does the current request end and the next request start?HTTP/2HTTP/1.1GET/HTTP/1.1Host:POST/HTTP/1.1Transfer-Encoding:chunkedContent-Length:350GET/robots.txt HTTP/1.1X

2、:yThe desync endgameHTTP/1.1 200 OKDisallow:/POST/HTTP/1.1Transfer-Encoding:chunkedContent-Length:350GET/robots.txt HTTP/1.1X:yGET/HTTP/1.1Host:Blocked by regex/robots.txt gadget fails on this targetMissed due to race condition200 OKChange tactics,find bugsHTTP/2 200 OKGET/assets/icon.png HTTP/2 Hos

3、t:GET/assets HTTP/1.1 Host:X:yHTTP/2 302 FoundLocation:https:/ collaboration with Wannes Verwimp,Cresco CybersecurityReferer:https:/Host:Front-endBack-endTier 2Tier 3Tier 1Change tactics,find bugsHTTP/2 200 OKCf-Cache-Status:HITGET/assets/icon.png HTTP/2 Host:GET/assets HTTP/1.1 Host:X:xGET/assets/i

4、con.png?cb=123 HTTP/2 Host:GET/assets HTTP/1.1 Host:X:xHTTP/2 200 OKCf-Cache-Status:MISSThis worksThis failsTier 3+(cache)Tier 1Tier 2Tier 3Tier 4+$7,000HTTP/2HTTP/1.1HTTP/2Vulnerable websites:24,000,000CVE-2025-4366HTTP/1.1 is simple and other liesA HTTP/1 request cant directly target an intermedia

5、ryA HTTP/1 desync can only be caused by a parser discrepancyA HTTP/1 response contains everything a proxy needs to parse itA HTTP/1 response can only contain one header blockA complete HTTP/1 response requires a complete requestHTTP/1.1 must dieHTTP/1.1 must diemore desync attacks are comingOutline

6、Winning the desync endgame 0.CL desync attacks Expect-based desync attacks Defense how secure is HTTP/2+?Q&AFurther research ideaWinning the Winning the desync endgamedesync endgameRule 0)dont use transfer-encodingDetecting parser discrepancies1.Explore alternate detection headers2.Add new permutati