HTTP/1.1 Vulnerability Could Let Attackers Hijack Millions of Sites

Security researchers have unveiled a fundamental vulnerability in HTTP/1.1 that could allow attackers to hijack millions of websites, highlighting a persistent threat that has plagued web infrastructure for over six years despite ongoing mitigation efforts.

PortSwigger’s latest research reveals that HTTP/1.1 remains inherently insecure, routinely exposing millions of websites to hostile takeover through sophisticated HTTP desync attacks.

The cybersecurity firm has introduced several novel classes of these attacks, demonstrating critical vulnerabilities that have compromised tens of millions of websites by subverting core infrastructure within multiple Content Delivery Networks (CDNs).

Despite vendors deploying various mitigations over the past six years, researchers have consistently bypassed these protective measures.

The threat first came to prominence when PortSwigger disclosed it in 2019, yet little has fundamentally changed in addressing the root cause of the vulnerability.

Technical Root of the Problem

The core issue stems from HTTP/1.1’s fatal design flaw: the protocol allows attackers to create extreme ambiguity about where one request ends and the next request begins.

This ambiguity enables malicious actors to manipulate request boundaries, leading to request smuggling attacks that can compromise entire web applications and their underlying infrastructure.

These attacks exploit the differences in how various servers and proxy systems interpret HTTP requests, allowing attackers to inject malicious requests that appear legitimate to security systems while executing harmful operations on backend servers.

HTTP/2 and later versions eliminate this fundamental ambiguity, making desync attacks virtually impossible. However, security experts emphasize that simply enabling HTTP/2 on edge servers is insufficient.

The critical requirement is implementing HTTP/2 for upstream connections between reverse proxies and origin servers, where many vulnerabilities persist due to continued reliance on HTTP/1.1.

PortSwigger has launched a comprehensive initiative titled “HTTP/1.1 Must Die: The Desync Endgame,” urging organizations to transition away from the vulnerable protocol.

The research includes practical recommendations for immediate implementation, including enabling upstream HTTP/2 support and ensuring origin servers can handle the newer protocol.

For organizations still dependent on HTTP/1.1, researchers recommend implementing available request validation and normalization features on front-end systems, considering disabling upstream connection reuse, and actively engaging with vendors about HTTP/2 support timelines.

The cybersecurity community has developed open-source tools including HTTP Request Smuggler v3.0 and HTTP Hacker to help organizations identify and defend against these threats through recurring security scans.

This vulnerability affects a broad spectrum of web infrastructure, from individual websites to major CDN providers, highlighting the urgent need for industry-wide adoption of modern HTTP protocols to ensure web security.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free