CybersecurityDefense

Black Hat USA 2025 | HTTP/1.1 Must Die! The Desync Endgame

Black Hat
Black HatMar 23, 2026

Why It Matters

Desync attacks exploiting HTTP/1.1 can silently compromise vast swaths of internet infrastructure, making immediate protocol migration and rigorous proxy auditing essential for protecting web services.

Key Takeaways

  • HTTP/1.1’s request boundary ambiguity fuels desync attacks
  • Industry patches detection tools but leaves core vulnerability unaddressed
  • Cloudflare‑to‑backend downgrade creates massive, hidden desync surface
  • New open‑source toolkit automates discrepancy discovery across proxies
  • Early‑response quirks in IIS enable zero‑CL desync exploits

Summary

The Black Hat presentation titled “HTTP/1.1 Must Die! The Desync Endgame” warned that the fundamental design flaw in HTTP/1.1—its inability to reliably delineate where one request ends and the next begins—continues to enable powerful desynchronisation attacks. While many organisations have layered defenses such as regular‑expression filters and upgraded client‑side HTTP/2 connections, the underlying parser discrepancies between front‑end proxies and back‑end servers remain largely unfixed, allowing attackers to hijack traffic, poison caches, and even compromise millions of sites with a single misstep.

James Kettle illustrated how modern deployments, especially those using Cloudflare’s front‑end that downgrades inbound HTTP/2 to HTTP/1.1 for internal routing, inadvertently expose a “desync endgame.” A tiny omission—like forgetting a cache‑buster—can trigger a desynchronisation inside Cloudflare’s own infrastructure, redirecting users to attacker‑controlled domains and persisting across caches. Similar vulnerabilities were demonstrated against PayPal, a major bank’s VPN, and numerous IIS servers behind Amazon’s load balancers, showing that the issue spans both legacy and cloud‑native environments.

The speaker unveiled an updated open‑source tool, HTTP Request Smuggler v3, which systematically probes for parser discrepancies using diverse header permutations, malformed values, and timing tricks. By identifying “visible‑hidden” and “hidden‑visible” mismatches, the toolkit enables researchers to craft reliable exploits, such as zero‑Content‑Length desyncs that bypass traditional transfer‑encoding defenses. Notably, the discovery of an early‑response path in IIS (triggered by special device‑name URLs) provides a novel way to break server‑side deadlocks and execute desync attacks previously thought impossible.

Kettle concluded that the only sustainable remedy is to retire HTTP/1.1 for upstream proxy communication and adopt binary, frame‑based protocols like HTTP/2 or HTTP/3 end‑to‑end. Until then, organisations must audit proxy configurations, disable ambiguous transfer‑encoding headers, and deploy robust discrepancy detection tools. The research underscores that superficial mitigations give a false sense of security while the core protocol flaw remains a systemic risk.

Original Description

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1.1 lives, desync attacks will thrive.
In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks.
I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers' welcoming arms. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me.
You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1.
By: James Kettle | Director of Research, PortSwigger
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...