HTTP/1.1 Insecurity and Desync Attack Techniques

This technical report discusses the inherent insecurities of the HTTP/1.1 protocol and introduces various classes of HTTP desynchronization (desync) attacks that can compromise user credentials on a large scale. The paper outlines how HTTP/1.1's design flaws, particularly the weak boundaries between requests, allow attackers to exploit parser discrepancies, leading to potential takeovers of millions of websites. It presents detailed case studies, including significant vulnerabilities affecting major infrastructures like Akamai and Cloudflare, which have exposed tens of millions of sites. Additionally, the author introduces an open-source toolkit for detecting parser discrepancies and discusses the challenges of mitigating these vulnerabilities. The report argues that simply patching individual implementation issues is insufficient and that HTTP/1.1 must be phased out in favor of more secure protocols like HTTP/2. The findings emphasize the need for a collective effort to address the fundamental flaws in HTTP/1.1 to enhance web security.