minestick
commented
4 days ago Received invalid header name: b'activeLangId=English; isStackableDevice=false; userStatus=ok; sessionID=UserId=<snip>; firstWelcomeBanner=false; pg=00000000000000000000000000000000000000000000000000000000000Server' from server, refusing to prevent request smuggling attacks. Disable the validate_inbound_headers option to skip this security check.Ran into this while trying to determine the authentication flow of some older network switches we are trying to automate (SF200/SF300)
mhils
Starting with the release of mitmproxy 11.0.1, mitmproxy performs stricter validation of HTTP requests and responses as an additional hardening measure against request smuggling attacks. This largely follows RFC 9112 Section 6.1.
We don't have any telemetry/analytics in mitmproxy, so we don't know how widespread such requests and responses are. To err on the side of being safe, we have decided to reject such messages for now. If this affects you, please comment below with details. If we find that this is more prevalent than we anticipate, we may return to a less strict handling.