Security researcher James Kettle is going to present significant findings on HTTP desync vulnerabilities at upcoming cybersecurity conferences, demonstrating continued security challenges in HTTP/1.1 implementations across major technology companies, government systems, and content delivery networks (CDNs).
The research, scheduled for presentation at Black Hat USA 2025 (August 6) and DEF CON 33 (August 8), will address misconceptions about the current state of HTTP request smuggling (also known as desync attacks) and demonstrate that these vulnerabilities remain a relevant security concern.
The significance of this research is evidenced by the fact that Kettle and collaborators have earned over $200,000 in bug bounties in just two weeks, indicating the practical impact and prevalence of these issues.
Addressing Security Misconceptions
"Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity," Kettle notes in his upcoming presentation abstract. "As long as HTTP/1.1 lives upstream, desync attacks will thrive."
This observation carries particular relevance given that, despite the growth of newer protocols, a significant portion of the web continues to rely on HTTP/1.1.
According to W3tech statistics, while HTTP/3 is used by 35.1% of websites and HTTP/2 by 33.2%, the remaining portion—representing millions of sites—continues to use the HTTP/1.1 protocol.
What Are HTTP Desync Attacks?
HTTP desync attacks, also known as HTTP request smuggling, exploit inconsistencies in how different HTTP servers interpret the same request. When a website uses multiple servers in a chain (like a front-end proxy and a back-end server), these attacks can cause the servers to become "desynchronized" - meaning they disagree about where one HTTP request ends and the next begins.
Understanding HTTP desync attacks - the Attack Vector
HTTP desync attacks exploit fundamental inconsistencies in how different servers interpret the same HTTP request. When websites use multiple servers in a chain—such as a front-end proxy and back-end server—these attacks can cause the servers to become "desynchronized," meaning they disagree about where one HTTP request ends and the next begins.
The vulnerability typically centers around two critical HTTP headers:
- Content-Length: Specifies the exact size of the request body in bytes
- Transfer-Encoding: Uses chunked encoding to send data in pieces
Consider this real-world attack scenario:
POST /login HTTP/1.1 Host: victim.com Content-Length: 6 Transfer-Encoding: chunked 0 GET /malicious HTTP/1.1 Host: victim.com
In this example, the front-end server processes the Transfer-Encoding header and interprets the "0" as the end of a chunk, while the back-end server relies on the Content-Length header and treats the leftover data as a new GET request.
This allows attackers to smuggle malicious requests that bypass security controls and potentially harvest sensitive data.
The scope of this research encompasses multiple high-profile targets. According to advanced details of Kettle's research, his findings include:
- Multiple affected targets across major technology companies, SaaS providers, and government systems
- CDN network vulnerabilities affecting almost every major content delivery network
- Credential access capabilities enabling attacks across multiple platforms simultaneously
- Government system exposure with numerous U.S. government websites and systems showing vulnerabilities
The research may reveal that even organizations with robust security measures—including tech giants with substantial cybersecurity investments—remain vulnerable to these sophisticated attacks, highlighting the fundamental nature of the problem.
The potential impact of successful desync attacks extends far beyond theoretical concerns like Mass theft of login credentials, Unauthorized access to user accounts through session hijacking, Injection of malicious content into web caches (cache poisoning), or Complete bypass of authentication and authorization controls.
Industry Response Anticipated
As James is going to disclose his research in the next few days, we may see multiple vendor responses after the release of the findings.
The research pre-blog post suggests that major technology vendors will need to respond to these revelations with patches and protective measures once the findings are made public at the upcoming conferences.
The challenges that organizations will likely face in addressing these vulnerabilities include:
- Legacy System Challenges: Older infrastructure that cannot be easily updated continues to pose risks
- Complex Configurations: Multi-tier architectures with numerous integration points complicate mitigation efforts
- Detection Difficulties: Many vulnerabilities are subtle and difficult to identify without specialized tools. However, James noted that he will share the research methodology and open-source toolkit that made this possible.
The Path Forward: Abandoning HTTP/1.1
Kettle's research will strongly advocate for what he calls "the mission to kill HTTP/1.1"—a complete migration away from the vulnerable protocol. The case for this transition appears compelling:
- HTTP/2 and HTTP/3 are inherently more secure against desync attacks
- Legacy protocol support creates unnecessary and persistent security risks
- Modern alternatives offer superior performance alongside enhanced security
"This represents a fundamental shift in how we approach web security," the research concludes. "The path forward requires a coordinated industry effort to abandon legacy HTTP/1.1 implementations in favor of more secure modern protocols."
Immediate Action Required
Organizations must take swift action to assess and mitigate their exposure to these vulnerabilities:
- Conduct immediate HTTP desync vulnerability assessments
- Plan comprehensive migration strategies to HTTP/2 or HTTP/3
- Implement enhanced traffic monitoring and analysis capabilities
- Prepare incident response procedures for potential desync-based attacks
- Conduct thorough audits of server and proxy configurations
Technical Mitigations: Organizations can implement server-level protections by rejecting requests containing both Content-Length and Transfer-Encoding headers, as this combination often indicates smuggling attempts.
A Wake-Up Call for the Industry
The timing of this research—to be presented at two of the cybersecurity industry's most prestigious conferences next week—will serve as a critical wake-up call. With millions of websites potentially vulnerable and attack techniques becoming increasingly sophisticated, the window for proactive defense may be rapidly closing.
As Kettle's research will demonstrate, even well-funded and security-conscious organizations are not immune to these fundamental protocol-level vulnerabilities. The discovery that such basic infrastructure components remain exploitable highlights a broader truth about cybersecurity: assumptions about the security of foundational technologies must be continuously challenged and validated.
The presentations scheduled for Black Hat USA 2025 (August 6) and DEF CON 33 (August 8) represent more than just another security vulnerability disclosure—they will serve as a clarion call for the industry to finally abandon insecure legacy protocols and embrace the security improvements offered by modern alternatives. The time for incremental patches and workarounds has passed; the time for fundamental change is now.