It's a cheat sheet about behaviour of various reverse proxies and related attacks.
It is a result of analysis of various reverse proxies, cache proxies, load balancers, etc. The article (https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/) describes the goals of the research and how you can use the cheat sheet.
Analyzed stuff: - Nginx - Apache - Haproxy/Nuster - Varnish - Traefik - Envoy - Caddy - AWS - Cloudflare - Stackpath - Fastly
Additional: - Test Labs
Related articles/white papers/presentations: - Reverse proxies & Inconsistency - Weird proxies/2 and a bit of magic - Attacking Secondary Contexts in Web Applications - Hacking Starbucks and Accessing Nearly 100 Million Customer Records - Middleware, middleware everywhere - and lots of misconfigurations to fix - ParseThru – Exploiting HTTP Parameter Smuggling in Golang - HTTP.ninja - Server Technologies - Reverse Proxy Bypass - Cracking the lens: targeting HTTP's hidden attack-surface - Abusing HTTP hop-by-hop request headers - The perils of the “real” client IP - Smuggling HTTP headers through reverse proxies - At Home Among Strangers - h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) - H2C Smuggling in the Wild - A story of leaking uninitialized memory from Fastly - What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs - HTTP Desync Attacks: Request Smuggling Reborn - HTTP Request Smuggling via higher HTTP versions - HTTP/2: The Sequel is Always Worse - Response Smuggling:Exploiting HTTP/1.1 Connections - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - Making HTTP header injection critical via response queue poisoning - Cache poisoning and other dirty tricks - Practical Web Cache Poisoning - Web Cache Entanglement: Novel Pathways to Poisoning - HTTP Caching Tests - CPDoS: Cache Poisoned Denial of Service - The Case of the Missing Cache Keys - Responsible denial of service with web cache poisoning - Cache Poisoning Denial-of-Service Attack Techniques - Cache-Key Normalization DoS - Web Cache Deception Attack - Cached and Confused: Web Cache Deception in the Wild - Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!
$ claude mcp add weird_proxies \
-- python -m otcore.mcp_server <graph>