Posts tagged desync.

A timing hunch is not a finding. The discipline that separates real desync research from noise is the part nobody photographs: a lab of real proxies, a back-end you own that logs the literal forwarded bytes, and a hard line about who you're allowed to point any of it at.

We built our own HTTP engine from scratch. No normalisation, no typed header map, no helpfulness at all, because a well-behaved client quietly fixes the exact malformations you need to send. Here is what Keith is, and why we changed our minds about open-sourcing it.

HTTP/3 request smuggling is almost unploughed ground. Not because the surface is small, but because nearly every tool speaks h1/h2 only, and the few that speak h3 do it through a conformant QUIC library that won't let you send the bug.

Starting a build-in-public log for Keith, an HTTP/1.1/2/3 desync prober. The premise: a conformant HTTP client is the wrong tool for finding HTTP parser bugs, because it normalises away exactly the malformed framing you need to send.