upvote
Very true, this was likely an attack. Worth noting that mr kettle has done a defcon talk nearly every year on some variant of this attack, the most recent one titled "HTTP/1.1 must die" because he rightfully believes that switching to the binary headers of http/2 (specifically in reverse proxy connections to upstream servers) is the only way to systematically prevent these.
reply
I’ll be back next month with a load of fresh vectors in “Can AI Do Novel Security Research? Meet the HTTP Terminator”

https://portswigger.net/research/talks?talkId=36

Maybe my last presentation on the topic! Possibly.

reply
Or as the Risky Business guys crystallise it: "James Kettle breaks the internet. Again."
reply
Why the reference to AI? This looks like standard security research.
reply