Re: HTTP request smuggling

2021-06-30 Thread Hans Middelhoek
Hi Maxim, Op 30-6-2021 om 21:17 schreef Maxim Dounin: Hello! On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: Thanks! That makes sense to me. I like to understand things a little better and hope you can help with that: 1) Why is the result different when I disable keepalive i

Re: HTTP request smuggling

2021-06-30 Thread Maxim Dounin
Hello! On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: > Thanks! That makes sense to me. I like to understand things a little > better and hope you can help with that: > > 1) Why is the result different when I disable keepalive in Nginx? After > disabling keepalive the second

Re: HTTP request smuggling

2021-06-30 Thread Hans Middelhoek
Hi Maxim, Thanks! That makes sense to me. I like to understand things a little better and hope you can help with that: 1) Why is the result different when I disable keepalive in Nginx? After disabling keepalive the second request isn't executed anymore. 2) Do you know why Apache respond the

Re: HTTP request smuggling

2021-06-30 Thread Maxim Dounin
Hello! On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote: > Recently I got a report from a security researcher who said I'm > vulnerable for HTTP request smuggling attacks and included a > demonstration. I couldn't imagine he was right because I'm using > HTTP/1.0 connections bet