Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • Introduction
  • What are the common mistakes made by developers?
  • How can I fix HTTP desynchronization issues?
  • Test cases in this category
  1. API Security Testing
  2. Pynt Security Tests Coverage

HTTP Desynchronization (Desync) Attack

Explore Pynt's documentation on HTTP desynchronization security tests! Understand how Pynt identifies and mitigates desync vulnerabilities to ensure robust protection for your APIs.

At a Glance: 🔄 HTTP De-synchronization (Desync) Attack A de-synchronization vulnerability occurs when servers or components in an API ecosystem interpret HTTP requests inconsistently, especially regarding headers like Content-Length and Transfer-Encoding. This mismatch allows attackers to "smuggle" malicious requests through the front-end server to the back-end server without detection. These attacks can lead to unauthorized actions, data leakage, or even denial of service. To mitigate these risks, ensure strict validation and uniform interpretation of HTTP headers across all components.

Introduction

HTTP de-synchronization (commonly known as HTTP request smuggling) is a security vulnerability that exploits inconsistencies in how HTTP requests are parsed by front-end and back-end servers. When a server interprets the boundaries of HTTP requests differently, attackers can inject a malicious payload that is processed by one server but hidden from another.

This vulnerability can lead to various outcomes, such as bypassing security controls, extracting sensitive data, or disrupting the application's normal behavior. It typically arises in API gateways, proxies, or load balancers that handle HTTP traffic between components.

What are the common mistakes made by developers?

  1. Inconsistent Parsing of HTTP Headers: Failing to enforce uniform interpretation of HTTP headers like Content-Length and Transfer-Encoding between front-end and back-end servers.

  2. Allowing Ambiguous Headers: Accepting ambiguous or conflicting headers, such as requests containing both Content-Length and Transfer-Encoding, without resolving conflicts.

  3. Neglecting Request Queue Validation: Overlooking how request queues are processed by intermediary components, enabling attackers to smuggle additional requests.

  4. Trusting User-Supplied Input: Allowing unvalidated input in headers or payloads increases the risk of maliciously crafted requests.

How can I fix HTTP desynchronization issues?

Header Validation

  • Reject requests with ambiguous or conflicting headers (e.g., both Content-Length and Transfer-Encoding headers).

  • Enforce strict validation of HTTP headers to ensure compliance with RFC standards.

Uniform Parsing Rules

  • Ensure consistent interpretation of headers and request boundaries across all API components, including proxies, gateways, and back-end servers.

Disable Chunked Encoding (if unnecessary)

  • If your application does not require Transfer-Encoding: chunked, disable it to minimize parsing complexity.

Test cases in this category

This test case queries excessive number of elements:

Test case
OWASP
CWE

[MC001] HTTP Desync Attack

PreviousBasic AuthenticationNextSensitive Data Exposure Detection

Last updated 5 months ago

👩‍💻
API8:2023
CWE-444