{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T18:14:14Z","timestamp":1772043254872,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,13]],"date-time":"2022-11-13T00:00:00Z","timestamp":1668297600000},"content-version":"vor","delay-in-days":366,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-1703454"],"award-info":[{"award-number":["CNS-1703454"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3485384","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"1805-1820","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["T-Reqs: HTTP Request Smuggling with Differential Fuzzing"],"prefix":"10.1145","author":[{"given":"Bahruz","family":"Jabiyev","sequence":"first","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}]},{"given":"Steven","family":"Sprecher","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}]},{"given":"Kaan","family":"Onarlioglu","sequence":"additional","affiliation":[{"name":"Akamai Technologies, Cambridge, MA, USA"}]},{"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"NAUTILUS: Fishing for Deep Bugs with Grammars. In The Network and Distributed System Security Symposium.","author":"Aschermann Cornelius","year":"2019","unstructured":"Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. NAUTILUS: Fishing for Deep Bugs with Grammars. In The Network and Distributed System Security Symposium."},{"key":"e_1_3_2_2_2_1","unstructured":"BuiltWith. [n.d.]. BuiltWith Technology Lookup. https:\/\/trends.builtwith.com\/CDN\/Content-Delivery-Network."},{"key":"e_1_3_2_2_3_1","unstructured":"Cloudflare Help Center. 2021. Using Page Rules to Re-Write Host Headers. https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/206652947-Using-Page-Rules-to-Re-Write-Host-Headers."},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978394"},{"key":"e_1_3_2_2_5_1","unstructured":"Evan Custodio. 2019. Mass account takeovers using HTTP Request Smuggling on https:\/\/slackb.com\/ to steal session cookies. https:\/\/hackerone.com\/reports\/737140."},{"key":"e_1_3_2_2_6_1","unstructured":"Evan Custodio. 2020 a. Practical Attacks Using HTTP Request Smuggling by @defparam. NahamCon. https:\/\/www.youtube.com\/watch?v=3tpnuzFLU8g."},{"key":"e_1_3_2_2_7_1","unstructured":"Evan Custodio. 2020 b. Smuggler. https:\/\/github.com\/defparam\/smuggler."},{"key":"e_1_3_2_2_8_1","unstructured":"Jeremy Druin. 2021. OWASP Mutillidae II. https:\/\/github.com\/webpwnized\/mutillidae."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"crossref","unstructured":"Roy Fielding James Gettys Jeff Mogul Henrik Frystyk and Tim Berners-Lee. 1997. Hypertext Transfer Protocol -- HTTP\/1.1. https:\/\/tools.ietf.org\/html\/rfc2068.","DOI":"10.17487\/rfc2068"},{"key":"e_1_3_2_2_10_1","doi-asserted-by":"crossref","unstructured":"Roy Fielding and Julian Reschke. 2014a. Hypertext Transfer Protocol (HTTP\/1.1): Message Syntax and Routing. https:\/\/tools.ietf.org\/html\/rfc7230.","DOI":"10.17487\/rfc7230"},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"crossref","unstructured":"Roy Fielding and Julian Reschke. 2014b. Hypertext Transfer Protocol (HTTP\/1.1): Semantics and Content. https:\/\/tools.ietf.org\/html\/rfc7231.","DOI":"10.17487\/rfc7231"},{"key":"e_1_3_2_2_12_1","unstructured":"Omer Gil. 2017a. Web Cache Deception Attack. Black Hat USA. https:\/\/www.blackhat.com\/us-17\/briefings.html#web-cache-deception-attack."},{"key":"e_1_3_2_2_13_1","unstructured":"Omer Gil. 2017b. Web Cache Deception Attack. https:\/\/omergil.blogspot.com\/2017\/02\/web-cache-deception-attack.html."},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3363824"},{"key":"e_1_3_2_2_15_1","unstructured":"James Kettle. 2019 a. HTTP Desync Attacks: Request Smuggling Reborn. PortSwigger Web Security Blog. https:\/\/portswigger.net\/blog\/http-desync-attacks-request-smuggling-reborn."},{"key":"e_1_3_2_2_16_1","unstructured":"James Kettle. 2019 b. Password theft login.newrelic.com via Request Smuggling. HackerOne. https:\/\/hackerone.com\/reports\/498052."},{"key":"e_1_3_2_2_17_1","unstructured":"James Kettle. 2019 c. Stored XSS on https:\/\/paypal.com\/signin via cache poisoning. HackerOne. https:\/\/hackerone.com\/reports\/488147."},{"key":"e_1_3_2_2_18_1","unstructured":"James Kettle. 2021. HTTP\/2: The Sequel is Always Worse. Black Hat USA. https:\/\/www.blackhat.com\/us-21\/briefings\/schedule\/#http2-the-sequel-is-always-worse-22668."},{"key":"e_1_3_2_2_19_1","unstructured":"Amit Klein. 2020. HTTP Request Smuggling in 2020 -- New Variants New Defenses and New Challenge. Black Hat USA. https:\/\/www.blackhat.com\/us-20\/briefings\/schedule\/#http-request-smuggling-in--new-variants-new-defenses-and-new-challenges-20019."},{"key":"e_1_3_2_2_20_1","unstructured":"Graham Klyne. 2021. Message Headers. https:\/\/www.iana.org\/assignments\/message-headers\/message-headers.xhtml."},{"key":"e_1_3_2_2_21_1","unstructured":"Dima Kumets. 2019. 8 best practices for multi-CDN implementations. https:\/\/www.fastly.com\/blog\/best-practices-multi-cdn-implementations."},{"key":"e_1_3_2_2_22_1","unstructured":"Emil Lerner. 2021. http2smugl. https:\/\/github.com\/neex\/http2smugl."},{"key":"e_1_3_2_2_23_1","unstructured":"Regis Leroy. 2016. Hiding Wookiees in HTTP: HTTP smuggling. DEF CON. https:\/\/www.youtube.com\/watch?v=dVU9i5PsMPY."},{"key":"e_1_3_2_2_24_1","unstructured":"Chaim Linhart Amit Klein Ronen Heled and Steve Orrin. 2005. HTTP Request Smuggling. Watchfire. https:\/\/www.cgisecurity.com\/lib\/HTTP-Request-Smuggling.pdf."},{"key":"e_1_3_2_2_25_1","unstructured":"Anna MacLachlan. 2015. The benefits of using Varnish. https:\/\/www.fastly.com\/blog\/benefits-using-varnish."},{"key":"e_1_3_2_2_26_1","unstructured":"Lori MacVittie. 2017. Security Rule Zero: A Warning about X-Forwarded-For. https:\/\/www.f5.com\/company\/blog\/security-rule-zero-a-warning-about-x-forwarded-for."},{"key":"e_1_3_2_2_27_1","article-title":"Differential Testing for Software","volume":"10","author":"McKeeman William M.","year":"1998","unstructured":"William M. McKeeman. 1998. Differential Testing for Software. Digital Technical Journal, Vol. 10, 1 (1998).","journal-title":"Digital Technical Journal"},{"key":"e_1_3_2_2_28_1","volume-title":"Cached and Confused: Web Cache Deception in the Wild. In USENIX Security Symposium.","author":"Mirheidari Seyed Ali","year":"2020","unstructured":"Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. 2020. Cached and Confused: Web Cache Deception in the Wild. In USENIX Security Symposium."},{"key":"e_1_3_2_2_29_1","volume-title":"USENIX Security Symposium.","author":"Mirheidari Seyed Ali","year":"2022","unstructured":"Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, and Bruno Crispo. 2022. Web Cache Deception Escalates!. In USENIX Security Symposium."},{"key":"e_1_3_2_2_30_1","unstructured":"NGINX. [n.d.]. Cloudflare boosts performance and stability for its millions of websites with NGINX. https:\/\/www.nginx.com\/success-stories\/cloudflare-boosts-performance-stability-millions-websites-with-nginx\/."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354215"},{"key":"e_1_3_2_2_32_1","volume-title":"DifFuzz: Differential Fuzzing for Side-channel Analysis. In IEEE\/ACM International Conference on Software Engineering.","author":"Nilizadeh Shirin","unstructured":"Shirin Nilizadeh, Yannic Noller, and Corina S. Pasareanu. 2019. DifFuzz: Differential Fuzzing for Side-channel Analysis. In IEEE\/ACM International Conference on Software Engineering."},{"key":"e_1_3_2_2_33_1","volume-title":"Nezha: Efficient Domain-Independent Differential Testing","author":"Petsios Theofilos","year":"2017","unstructured":"Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D. Keromytis, and Suman Jana. 2017. Nezha: Efficient Domain-Independent Differential Testing. In IEEE Security & Privacy."},{"key":"e_1_3_2_2_34_1","volume-title":"Samaneh Tajalizadehkhoob, Maciej Korczy'nski, and Wouter Joosen.","author":"Pochat Victor Le","year":"2021","unstructured":"Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'nski, and Wouter Joosen. 2021. Tranco -- A Research-Oriented Top Sites Ranking Hardened Against Manipulation. https:\/\/tranco-list.eu\/."},{"key":"e_1_3_2_2_35_1","unstructured":"PortSwigger. [n.d.]. Exploiting HTTP request smuggling vulnerabilities. https:\/\/portswigger.net\/web-security\/request-smuggling\/exploiting."},{"key":"e_1_3_2_2_36_1","unstructured":"PortSwigger. 2019. HTTP Request Smuggler. https:\/\/github.com\/PortSwigger\/http-request-smuggler."},{"key":"e_1_3_2_2_37_1","volume-title":"HVLearn: Automated Black-Box Analysis of Hostname Verification in SSL\/TLS Implementations","author":"Sivakorn Suphannee","unstructured":"Suphannee Sivakorn, George Argyros, Kexin Pei, Angelos D. Keromytis, and Suman Jana. 2017. HVLearn: Automated Black-Box Analysis of Hostname Verification in SSL\/TLS Implementations. In IEEE Security & Privacy."},{"key":"e_1_3_2_2_38_1","volume-title":"The Fuzzing Book","author":"Zeller Andreas","unstructured":"Andreas Zeller, Rahul Gopinath, Marcel B\u00f6hme, Gordon Fraser, and Christian Holler. 2019. The Fuzzing Book. In The Fuzzing Book. Saarland University. https:\/\/www.fuzzingbook.org\/."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485384","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3485384","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3485384","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:47:49Z","timestamp":1763498869000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485384"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":38,"alternative-id":["10.1145\/3460120.3485384","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3485384","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}