Posts tagged http.

Cloudflare resolves dot-segments in a URL only far enough to reject the obvious escapes, then forwards the raw, still-encoded path to your origin, which quietly resolves it the rest of the way. Your edge rules see one path; your server serves another. Cloudflare even warns you about it, in a banner most people scroll past.

A timing hunch is not a finding. The discipline that separates real desync research from noise is the part nobody photographs: a lab of real proxies, a back-end you own that logs the literal forwarded bytes, and a hard line about who you're allowed to point any of it at.

We built our own HTTP engine from scratch. No normalisation, no typed header map, no helpfulness at all, because a well-behaved client quietly fixes the exact malformations you need to send. Here is what Keith is, and why we changed our minds about open-sourcing it.

The method we built for blockchain validator security turns out to be a general-purpose bug-finding method. We've started pointing it at two pieces of infrastructure everyone shares: the open-source HTTP proxy ecosystem, and the Linux kernel's packet path.

Starting a build-in-public log for Keith, an HTTP/1.1/2/3 desync prober. The premise: a conformant HTTP client is the wrong tool for finding HTTP parser bugs, because it normalises away exactly the malformed framing you need to send.