It's a cheat sheet about behaviour of various reverse proxies and related attacks.
It is a result of analysis of various reverse proxies, cache proxies, load balancers, etc. The article (https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/) describes the goals of the research and how you can use the cheat sheet.
Analyzed stuff:
Additional:
Related articles/white papers/presentations:
- Reverse proxies & Inconsistency
- Weird proxies/2 and a bit of magic
- Attacking Secondary Contexts in Web Applications
- Hacking Starbucks and Accessing Nearly 100 Million Customer Records
- Middleware, middleware everywhere - and lots of misconfigurations to fix
- HTTP.ninja
- Server Technologies - Reverse Proxy Bypass
- Cracking the lens: targeting HTTP's hidden attack-surface
- Abusing HTTP hop-by-hop request headers
- The perils of the “real” client IP
- Smuggling HTTP headers through reverse proxies
- At Home Among Strangers
- h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)
- H2C Smuggling in the Wild
- A story of leaking uninitialized memory from Fastly
- What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs
- HTTP Desync Attacks: Request Smuggling Reborn
- HTTP Request Smuggling via higher HTTP versions
- HTTP/2: The Sequel is Always Worse
- Response Smuggling:Exploiting HTTP/1.1 Connections
- Cache poisoning and other dirty tricks
- Practical Web Cache Poisoning
- Web Cache Entanglement: Novel Pathways to Poisoning
- HTTP Caching Tests
- CPDoS: Cache Poisoned Denial of Service
- The Case of the Missing Cache Keys
- Responsible denial of service with web cache poisoning
- Cache Poisoning Denial-of-Service Attack Techniques
- Cache-Key Normalization DoS
- Web Cache Deception Attack
- Cached and Confused: Web Cache Deception in the Wild