Security News > 2020 > August > Researcher Discovers New HTTP Request Smuggling Attack Variants
A researcher has detailed several new variants of an attack named HTTP request smuggling, and he has proposed some new defenses against such attacks.
HTTP request smuggling, also known as HTTP desyncing, has been known since 2005, but Amit Klein, VP of security research at SafeBreach, believes the method has not been fully analyzed, which is why he has decided to conduct a research project focusing on this attack technique.
An attacker can abuse this to "Smuggle" a malicious HTTP request to a server through an HTTP device by leveraging the discrepancy in how the server interprets the stream and how the HTTP device views the stream.
Klein told SecurityWeek ahead of his talk on HTTP request smuggling at the Black Hat conference that an attacker needs to find combinations of web servers and proxy servers with "Matching" vulnerabilities in order to launch an attack, which makes it difficult to determine exactly how many servers are impacted.
The researcher has proposed some new defenses against HTTP request smuggling attacks, and during his tests he identified some interesting behavior in the case of some payloads, which could pave the way for future research in this area.