Links

HTTP Connection Request Smuggling

Connection state attacks

First-request validation

Reverse proxies often use the Host header to identify which back-end server to route each request to, and have a whitelist of hosts that people are allowed to access.
However, some proxies only apply this whitelist to the first request sent over a given connection. This means attackers can gain access to internal websites by issuing a request to an allowed destination, followed by one for the internal site down the same connection:
GET / HTTP/1.1
Host: redacted
GET / HTTP/1.1
Host: intranet.redacted
Mercifully, this mistake is quite rare.

First-request routing

First-request routing occurs when the front-end uses the first request's Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.
GET / HTTP/1.1
Host: example.com
POST /pwreset HTTP/1.1
Host: psres.net
This could be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.
You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler.

References