A new research has identified four new variants of HTTP request smuggling attacks that work against commercial off-the-shelf web servers and HTTP proxy servers. The new variants involve using various proxy-server combinations, including Aprelium’s Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode. A third variant of the attack uses HTTP/1.2 to bypass WAF defenses as defined in OWASP ModSecurity Core Rule Set.
Source: https://thehackernews.com/2020/08/http-request-smuggling.html