Description: Client-side desync
Client-side desync (CSD) vulnerabilities occur when a web server fails to correctly process the Content-Length of POST requests. By exploiting this behavior, an attacker can force a victim's browser to desynchronize its connection with the website, typically leading to XSS.
Remediation: Client-side desync
You can resolve this vulnerability by patching the server so that it either processes POST requests correctly, or closes the connection after handling them. You could also disable connection reuse entirely, but this may reduce performance. You can also resolve this issue by enabling HTTP/2.
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
- CAPEC-33: HTTP Request Smuggling
Type index (hex)
Type index (decimal)