Test for HTTP Request Smuggling #303
Comments
|
Do you think that it will be sufficient to check if server uses HTTP 1.1 since this attack is possible for that protocol version only? |
|
In my opinion this won't be sufficient because there is plenty of HTTP 1.1 servers that are not vulnerable to this attack, therefore such a check would have a large percentage of false positives |
|
I think there is no sane reason to keep HTTP 1.1 if there is version 2.0 which cuts this vulnerability off, but you are right, not all HTTP 1.1 servers are vulnerable. I will try to find a solution to identify HTTP Request Smuggling attack, however, I think it is worth to implement check if HTTP runs on 1.1 version and recommend switching to 2.0. |
|
if possible, implementing a Nuclei template is a better idea than an Artemis module |
No description provided.
The text was updated successfully, but these errors were encountered: