The Silent Danger in HTTP: Identifying HTTP Desync Vulnerabilities with Gray-box Testing

HTTP Desync is a high-risk threat in today’s decentralized Internet, stemming from discrepancies among HTTP implementations. Current automatic detection tools, primarily dictionary-based scanners and black-box fuzzers, lack insights into internal states of implementations, leading to ineffective testing. Moreover, they focus on the request-side Desync, overlooking vulnerabilities in HTTP responses.

In this paper, we present HDHunter, a novel automatic HTTP discrepancy detection framework using the gray-box coverage-directed differential testing technique. HDHunter can discover discrepancies in not only HTTP requests but also HTTP responses and CGI responses. We evaluated our HDHunter prototype against 19 state-of-the-art HTTP implementations and identified 17 new HTTP Desync vulnerabilities. We have disclosed all identified vulnerabilities to corresponding vendors and received acknowledgements and bug bounty rewards, including 9 CVEs from well-known HTTP software, including Apache, Tomcat, Squid, etc.