The primary mistake seen in the wild is servers assuming that every HTTP/1.1 request sent down a given TLS connection must have the same intended destination and HTTP Host header. Resources TOOL: Smuggler , Request Minimizer (Burp extension to minimize the request size) HTTP/1.1 Must Die HTTP/2 downgrading Response queue poisoning Bypassing client authentication| Mutual TLS authentication Turbo Intruder: Embracing the billion-request attack Turbo Intruder Video LINK James Kettle — Client-side desync attacks Client-side desync attacks PortSwigger Labs Making desync attacks easy with TRACE HTTP/2: The Sequel is Always Worse Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling HTTP Host header attacks Routing-based SSRF HTTP Pipelining Pipelining causes a loop in Cesanta Mongoose BUG HUNTER UNIVERSITY Google CRLF Injection HTTP request tunnelling Bug Reports: TE.0 Client-Side Desync & Video in blog Desync attacks with TRACE Tinder automatic like Bug CL.T...