HTTP Request Synchronization Defeats Discrepancy Attacks

• URL: http://arxiv.org/abs/2510.09952v1
• Date: Sat, 11 Oct 2025 01:42:38 GMT
• Title: HTTP Request Synchronization Defeats Discrepancy Attacks
• Authors: Cem Topcuoglu, Kaan Onarlioglu, Steven Sprecher, Engin Kirda,
• Abstract summary: We propose the first comprehensive defense to address this problem, called HTTP Request Synchronization.<n>Our scheme uses standard HTTP extension mechanisms to augment each request with a complete processing history.<n>Using this history, every proxy server can validate that their processing is consistent with all previous hops, eliminating discrepancy attacks.
• Score: 6.113912479606383
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Contemporary web application architectures involve many layers of proxy services that process traffic. Due to the complexity of HTTP and vendor design decisions, these proxies sometimes process a given request in different ways. Attackers can exploit these processing discrepancies to launch damaging attacks including web cache poisoning and request smuggling. Discrepancy attacks are surging, yet, there exists no systemic defense. In this work, we propose the first comprehensive defense to address this problem, called HTTP Request Synchronization. Our scheme uses standard HTTP extension mechanisms to augment each request with a complete processing history. It propagates this context through the traffic path detailing how each server hop has processed said request. Using this history, every proxy server can validate that their processing is consistent with all previous hops, eliminating discrepancy attacks. We implement our scheme for 5 popular proxy technologies, Apache, NGINX, HAProxy, Varnish, and Cloudflare, demonstrating its practical impact.

Related papers

• Software Testing at the Network Layer: Automated HTTP API Quality Assessment and Security Analysis of Production Web Applications [1.9537983097153042]
  We present an automated software testing framework that captures and analyzes the complete HTTP traffic of 18 production websites.<n> minimalist server-rendered sites achieve perfect scores of 100, while content-heavy commercial sites score as low as 56.8.<n>We identify redundant API calls and missing cache headers as the two most pervasive anti-patterns, each affecting 67% of sites.
  arXiv  Detail & Related papers  (2026-02-09T03:39:45Z)
• WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents [45.87204751555924]
  Prompt injection attacks manipulate webpage content to cause web agents to execute attacker-specified tasks instead of the user's intended ones.<n>Existing methods for detecting and localizing such attacks achieve limited effectiveness.<n>We propose WebSentinel, a two-step approach for detecting and localizing prompt injection attacks in webpages.
  arXiv  Detail & Related papers  (2026-02-03T17:55:04Z)
• Cuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE [64.47951172662745]
  Cuckoo Attack is a novel attack that achieves stealthy and persistent command execution by embedding malicious payloads into configuration files.<n>We formalize our attack paradigm into two stages, including initial infection and persistence.<n>We contribute seven actionable checkpoints for vendors to evaluate their product security.
  arXiv  Detail & Related papers  (2025-09-19T04:10:52Z)
• Streamlining HTTP Flooding Attack Detection through Incremental Feature Selection [0.3277163122167433]
  In this paper, a method for the detection of such an attack is proposed.<n> INFS-MICC helps in identifying a subset of highly relevant and independent feature subset.
  arXiv  Detail & Related papers  (2025-05-20T06:19:03Z)
• WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls [4.490124817524261]
  Evading Web Application Firewalls (WAFs) can compromise defenses.<n>We present an innovative approach to bypassing WAFs by uncovering parsing discrepancies.<n>We identified and confirmed 1207 bypasses across 5 well-known WAFs.
  arXiv  Detail & Related papers  (2025-03-13T19:56:29Z)
• ChatHTTPFuzz: Large Language Model-Assisted IoT HTTP Fuzzing [18.095573835226787]
  Internet of Things (IoT) devices offer convenience through web interfaces, web VPNs, and other web-based services, all relying on the HTTP protocol. Most state-of-the-art tools still rely on random mutation trategies, leading to difficulties in accurately understanding the HTTP protocol's structure and generating many invalid test cases. We propose a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases.
  arXiv  Detail & Related papers  (2024-11-18T10:48:53Z)
• SecAlign: Defending Against Prompt Injection with Preference Optimization [52.48001255555192]
  Adversarial prompts can be injected into external data sources to override the system's intended instruction and execute a malicious instruction.<n>We propose a new defense called SecAlign based on the technique of preference optimization.<n>Our method reduces the success rates of various prompt injections to 10%, even against attacks much more sophisticated than ones seen during training.
  arXiv  Detail & Related papers  (2024-10-07T19:34:35Z)
• The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP/1.1 Implementations by Differential Fuzzing of Request Streams [7.012240324005978]
  HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports.
  arXiv  Detail & Related papers  (2024-05-28T01:48:05Z)
• Formalizing and Benchmarking Prompt Injection Attacks and Defenses [59.57908526441172]
  We propose a framework to formalize prompt injection attacks. Based on our framework, we design a new attack by combining existing ones. Our work provides a common benchmark for quantitatively evaluating future prompt injection attacks and defenses.
  arXiv  Detail & Related papers  (2023-10-19T15:12:09Z)
• Universal and Transferable Adversarial Attacks on Aligned Language Models [118.41733208825278]
  We propose a simple and effective attack method that causes aligned language models to generate objectionable behaviors. Surprisingly, we find that the adversarial prompts generated by our approach are quite transferable.
  arXiv  Detail & Related papers  (2023-07-27T17:49:12Z)
• Preprocessors Matter! Realistic Decision-Based Attacks on Machine Learning Systems [56.64374584117259]
  Decision-based attacks construct adversarial examples against a machine learning (ML) model by making only hard-label queries. We develop techniques to (i) reverse-engineer the preprocessor and then (ii) use this extracted information to attack the end-to-end system. Our preprocessors extraction method requires only a few hundred queries, and our preprocessor-aware attacks recover the same efficacy as when attacking the model alone.
  arXiv  Detail & Related papers  (2022-10-07T03:10:34Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.