HTTP Desync Attack
What is HTTP Desync Attack?
HTTP Desync AttackA modern form of HTTP request smuggling that desynchronises a chain of proxies and servers to inject malicious traffic into other users' connections.
Popularised by James Kettle's 2019 "HTTP Desync Attacks" research, desync attacks deliberately put a front-end proxy out of step with the back-end about how to parse a request stream. Techniques include CL.TE, TE.CL, TE.TE, HTTP/2-to-HTTP/1.1 downgrades and chunked-encoding tricks. Once the connection is desynced, attacker-prefixed bytes prepend to the next victim's request — leading to credential theft, internal-endpoint access, response queue poisoning, and bypass of authentication or WAFs. Defences include using fully HTTP/2 paths, strict header validation, rejecting requests that contain both Content-Length and Transfer-Encoding, dropping ambiguous requests at the edge, and continuous testing with tools like HTTP Request Smuggler.
● Examples
- 01
HTTP/2-to-HTTP/1.1 downgrade desync that exfiltrates other users' session cookies.
- 02
Front-end keep-alive desync that hijacks the next request to an internal admin URL.
● Frequently asked questions
What is HTTP Desync Attack?
A modern form of HTTP request smuggling that desynchronises a chain of proxies and servers to inject malicious traffic into other users' connections. It belongs to the Vulnerabilities category of cybersecurity.
What does HTTP Desync Attack mean?
A modern form of HTTP request smuggling that desynchronises a chain of proxies and servers to inject malicious traffic into other users' connections.
How do you defend against HTTP Desync Attack?
Defences for HTTP Desync Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP Desync Attack?
Common alternative names include: HTTP/1.1 desync, Connection-state attack.