Client-side desync

Description: Client-side desync

Client-side desync (CSD) vulnerabilities occur when a web server fails to correctly process the Content-Length of POST requests. By exploiting this behavior, an attacker can force a victim's browser to desynchronize its connection with the website, typically leading to XSS.

Remediation: Client-side desync

You can resolve this vulnerability by patching the server so that it either processes POST requests correctly, or closes the connection after handling them. You could also disable connection reuse entirely, but this may reduce performance. You can also resolve this issue by enabling HTTP/2.

References

HTTP Request Smuggling
Browser-Powered Desync Attacks

Vulnerability classifications

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CAPEC-33: HTTP Request Smuggling

Typical severity

High

Type index (hex)

0x00200141

Type index (decimal)

2097473

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Get Burp

Scan your web application from just $449.00

Find out more

How do I?	New Post	View All
Feature Requests	New Post	View All
Burp Extensions	New Post	View All
Bug Reports	New Post	View All