bypass authentication, hijack sessions abuse a vulnerable internal API
the attack depends on which header the front-end uses to determine the end of a request + which header the back-end uses to determine the end of a request
- CL.TE: content-length ⇒ the exact bytes of the body (body length)
- TE.CL: transfer-encoding ⇒ send bytes in chunks stop when a chunk of zeros is sent
- TE.TE: transfer-encoding: chunked header but one can be tricked into not processing it
not supposed to use them together
http keep-alive http pipelining
http 2 uses determined content legnth