pwneglyph logo

Note

web proxy request-smuggling http-desync transfer-encoding infrastructure

Treat mismatched hop-by-hop parsing across a multi-hop HTTP/1.1 chain as the bug itself, surfacing internal routes or split requests.

Header and Transfer-Parsing Desync as an Infrastructure Attack Surface

The stack boundary itself is the bug. Even without a product CVE, mismatched interpretation of hop-by-hop data can surface internal routes or split requests.

Why It Matters

  • Reverse proxies, app servers, and hand-rolled internal fetchers each parse hop-by-hop data slightly differently; the disagreement is exploitable.

Vulnerable Pattern

  • Multi-hop HTTP/1.1 chains with reverse proxies, app servers, and hand-rolled internal fetchers.

Exploit Flow

  1. Inventory the chain first, including whether keep-alive is preserved between hops.
  2. Test one ambiguity at a time: duplicate Transfer-Encoding, tabs, spaces, NBSP, latin1 names, weird line endings, inconsistent Content-Length.
  3. Only after desync is confirmed should you invest in target-specific smuggling payloads.

Variations

  • TE/CL mismatch, duplicate hop-by-hop headers, header-name encoding tricks, or HTTP version downgrades.

Common Blockers

  • Connection reuse disabled, header normalization at the edge, or a backend that closes after each request.

PoC Sketch

Transfer-Encoding: chunked
Content-Length: 4

0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal\r\n\r\n
# then mutate TE spelling and whitespace

Good Situations To Use It

  • A multi-hop HTTP/1.1 chain with keep-alive.
  • No product CVE, but parsing differs between hops.
  • A useful internal route exists post-desync.

Sources

  • 0xFUN2026/web/skyport_ops
  • fcsc2026/web/bubulle_corp_2
  • sthack2026/web/magic_claw_2