Pause-based desync in Apache HTTPD

Disclosed: 2022-08-25 07:02:46 By albinowax To ibb

High

Vulnerability Details

Apache was vulnerable to a pause-based desync. This vulnerability is described in detail in my whitepaper here: https://portswigger.net/research/browser-powered-desync-attacks#pause ## Impact This enables server-side HTTP Request Smuggling when Apache is deployed as a back-end server, and it also enables MITM attackers to inject arbitrary JavaScript in spite of TLS.

Actions

View on HackerOne

Report Stats

Report ID: 1667974
State: Closed
Substate: resolved
Upvotes: 68

Pause-based desync in Apache HTTPD

Vulnerability Details

Actions

Report Stats

Share this report