SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-444 Inconsistent Interpretation of HTTP Requests

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged a risk where different components in your request path (CDN/WAF/reverse proxy/load balancer/app server) may parse the "same" HTTP request differently. That mismatch can let attackers smuggle or disguise requests.

Why it matters

Inconsistent parsing can allow request smuggling or bypasses.

Safer examples

1) Normalize and validate at the edge

Reject ambiguous requests (duplicate headers, multiple Content-Length, weird Transfer-Encoding, invalid whitespace).

2) Align proxy and backend parsing rules

Keep proxy/WAF and app server versions/configs aligned; enable strict request parsing modes where available.

3) Avoid complex routing based on raw headers

Prefer server-known routing; be cautious with X-Forwarded-* headers unless set by trusted infrastructure (see CWE-346 style risks).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.