-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test for HTTP Request Smuggling #303
Comments
Do you think that it will be sufficient to check if server uses HTTP 1.1 since this attack is possible for that protocol version only? |
In my opinion this won't be sufficient because there is plenty of HTTP 1.1 servers that are not vulnerable to this attack, therefore such a check would have a large percentage of false positives |
I think there is no sane reason to keep HTTP 1.1 if there is version 2.0 which cuts this vulnerability off, but you are right, not all HTTP 1.1 servers are vulnerable. I will try to find a solution to identify HTTP Request Smuggling attack, however, I think it is worth to implement check if HTTP runs on 1.1 version and recommend switching to 2.0. |
if possible, implementing a Nuclei template is a better idea than an Artemis module |
No description provided.
The text was updated successfully, but these errors were encountered: