Difference between CL.0 Desync and HTTP Pipelining?

Question

I am trying to decide if my server is vulnerable to CL.0 Desync attack. I did some tests but not sure if it is normal behavior of HTTP pipelining or CL.0 Desync.

Tool: Blurp Community Edition

query 1:

POST /login HTTP/1.1
Host: 127.0.0.1
Referer: https://127.0.0.1
Content-Length: 0


GET /api/status HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive

Response:

HTTP/1.1: 401 Unauthorized
Set-Cookie: ....
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Cache-Control: must-revalidate,no-cache,no-store
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Length: 74

HTTP Status 401 - Full authentication is required
HTTP/1.1: 401 Unauthorized
Date: Wed, ...
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Length: 74

HTTP Status 401 - Full authentication is required

401 is expected for both endpoints because no token is passed.

query 2:

POST /login HTTP/1.1
Host: 127.0.0.1
Referer: https://127.0.0.1


GET /api/status HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive

Response:

HTTP/1.1: 401 Unauthorized
Date: Wed, ...
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Length: 74

HTTP Status 401 - Full authentication is required

I am not sure for query 1, if it is just normal pipelining behavior. What's the difference anyway?

Thank you.

Answer 1

This looks like pipelining to me. The easy way to tell is to send the first request up to the GET, and see if the server responds. If it does, it's pipelining. If it hangs, it's potentially a desync. Check this out for more info:

https://portswigger.net/research/browser-powered-desync-attacks#connection-locked