Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test for HTTP Request Smuggling #303

Open
kazet opened this issue Apr 19, 2023 · 4 comments
Open

Test for HTTP Request Smuggling #303

kazet opened this issue Apr 19, 2023 · 4 comments

Comments

@kazet
Copy link
Member

kazet commented Apr 19, 2023

No description provided.

@moarcode
Copy link

moarcode commented Jul 21, 2023

Do you think that it will be sufficient to check if server uses HTTP 1.1 since this attack is possible for that protocol version only?

@kazet
Copy link
Member Author

kazet commented Jul 22, 2023

In my opinion this won't be sufficient because there is plenty of HTTP 1.1 servers that are not vulnerable to this attack, therefore such a check would have a large percentage of false positives

@moarcode
Copy link

moarcode commented Jul 24, 2023

I think there is no sane reason to keep HTTP 1.1 if there is version 2.0 which cuts this vulnerability off, but you are right, not all HTTP 1.1 servers are vulnerable. I will try to find a solution to identify HTTP Request Smuggling attack, however, I think it is worth to implement check if HTTP runs on 1.1 version and recommend switching to 2.0.

@kazet
Copy link
Member Author

kazet commented Oct 30, 2023

if possible, implementing a Nuclei template is a better idea than an Artemis module

@KejtiT KejtiT self-assigned this Oct 31, 2023
@kazet kazet added this to the 9-23.11.2023 sprint milestone Nov 13, 2023
@kazet kazet assigned kazet and KejtiT and unassigned brzeszczu and KejtiT Dec 21, 2023
@kazet kazet removed this from the 9.11-7.12.2023 sprint milestone Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants