TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

PortSwigger Research

HTTP/1.1 must die: the desync endgame

2025-08-06 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
96%
"a line terminator ". behind such a front - end, this would be exploitable. this vulnerability was traced back to the underlying http library, and a patch is on the way. reporting theoretical findings like these is unlikely to net you sizeable bug bounty payouts, but could potenti…"
T1190Exploit Public-Facing Application
95%
"##ize any of the attacks beyond a dos, so this only took the total bounties earned to $ 21, 645. the best bounty experience was with exness who awarded $ 7, 500. as usual, the most valuable outcome wasn ' t the bounties themselves - it was the foundation this work provided for ou…"
T1190Exploit Public-Facing Application
89%
"1. 1 404 not found on a different target, the above exploit failed because the front - end server was rejecting get requests that contained a body. i was able to work around this simply by switching the method to options. it ' s the ability to spot and work around barriers like t…"
T1190Exploit Public-Facing Application
86%
"##dition failed host : x / x http / 1. 1 200 ok xost : x / x http / 1. 1 412 precondition failed this target was once again straightforward to exploit using a cl. 0 desync. in my experience, web vpns often have flawed http implementations and i would strongly advise against placi…"
T1190Exploit Public-Facing Application
84%
"alb - exploiting h - v without transfer - encoding - 0. cl desync attacks - the 0. cl deadlock - moving beyond 400 bad request - converting 0. cl into cl. 0 with a double - desync - more desync attacks are coming - expect - based desync attacks - bypassing response header removal…"
T1071.001Web Protocols
63%
"- food - corp > http / 1. 1 503 service unavailable host : < redacted - food - corp > http / 1. 1 400 bad request xost : < redacted - food - corp > http / 1. 1 503 service unavailable here, http request smuggler has detected that sending a request with a partially - hidden host h…"
T1190Exploit Public-Facing Application
43%
"and patched, websites remain silently vulnerable to inevitable future variants. these all stem from a fatal flaw in http / 1. 1 which means that minor implementation bugs frequently trigger severe security consequences. http / 2 + solves this threat. if we want a secure web, http…"
T1190Exploit Public-Facing Application
42%
"the expect header making interesting things happen. they had a solid research pedigree - their exploration of te. 0 request smuggling landed third in the top ten web hacking techniques of 2024. as such, we decided to team up. we ended up exploiting many, many targets. our finding…"
T1190Exploit Public-Facing Application
40%
"- published : wednesday, 6 august 2025 at 22 : 20 utc - updated : friday, 17 october 2025 at 10 : 13 utc upstream http / 1. 1 is inherently insecure and regularly exposes millions of websites to hostile takeover. six years of attempted mitigations have hidden the issue, but faile…"
T1190Exploit Public-Facing Application
39%
"< redacted > after this, some high - end payouts took us to around $ 95, 000 earned from 0. cl expect - based desync attacks. proving that it can break servers in every possible way, expect can also cause cl. 0 desync vulnerabilities. for example, we found a cl. 0 rqp vulnerabili…"

Summary

Abstract Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This p