MDA2AV
diff --git a/‎README.md‎
Lines changed: 5 additions & 5 deletions b/‎README.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎docs/content/docs/body/chunked-hex-uppercase.md‎
Lines changed: 45 additions & 0 deletions b/‎docs/content/docs/body/chunked-hex-uppercase.md‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎docs/content/docs/body/chunked-trailer-valid.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/content/docs/body/chunked-trailer-valid.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎docs/content/docs/headers/connection-close.md‎
Lines changed: 39 additions & 0 deletions b/‎docs/content/docs/headers/connection-close.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎docs/content/docs/headers/http10-default-close.md‎
Lines changed: 42 additions & 0 deletions b/‎docs/content/docs/headers/http10-default-close.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/content/docs/host-header/host-empty-value.md‎
Lines changed: 40 additions & 0 deletions b/‎docs/content/docs/host-header/host-empty-value.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎docs/content/docs/host-header/http10-no-host.md‎
Lines changed: 44 additions & 0 deletions b/‎docs/content/docs/host-header/http10-no-host.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎docs/content/docs/malformed-input/chunk-extension-long.md‎
Lines changed: 9 additions & 8 deletions b/‎docs/content/docs/malformed-input/chunk-extension-long.md‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎docs/content/docs/malformed-input/post-cl-huge-no-body.md‎
Lines changed: 34 additions & 0 deletions b/‎docs/content/docs/malformed-input/post-cl-huge-no-body.md‎
Lines changed: 34 additions & 0 deletions
@@ -4,13 +4,13 @@ HTTP/1.1 server compliance and security tester. Sends malformed, ambiguous, and
 
 **Website:** [mda2av.github.io/Http11Probe](https://MDA2AV.github.io/Http11Probe/) — full documentation, test glossary with RFC citations, and live probe results across all tested servers.
 
-## 116 Tests across 3 Categories
+## 146 Tests across 3 Categories
 
 | Category | Tests | What it covers |
 |----------|------:|----------------|
-| **Compliance** | 47 | RFC 9110/9112 protocol requirements — bare LF, obs-fold, missing Host, invalid versions, chunked encoding, upgrade handling, etc. |
-| **Smuggling** | 50 | CL/TE ambiguity, duplicate Content-Length, pipeline desync, TE obfuscation, chunk extension abuse, bare LF in chunked framing |
-| **Malformed Input** | 19 | Binary garbage, oversized URLs/headers/methods, NUL bytes, control characters, integer overflow, HTTP/2 preface |
+| **Compliance** | 60 | RFC 9110/9112 protocol requirements — bare LF, obs-fold, missing Host, invalid versions, chunked encoding, connection semantics, upgrade handling, etc. |
+| **Smuggling** | 60 | CL/TE ambiguity, duplicate Content-Length, pipeline desync, TE obfuscation, chunk extension abuse, bare LF in chunked framing, URI/Host mismatch |
+| **Malformed Input** | 26 | Binary garbage, oversized URLs/headers/methods, NUL bytes, control characters, integer overflow, overlong UTF-8, encoded CRLF injection |
 
 Each test is scored against RFC normative language (MUST/SHOULD/MAY) and classified as **Pass**, **Fail**, or **Warn** (when the RFC permits both strict and lenient behavior).
 
@@ -57,7 +57,7 @@ dotnet run --project src/Http11Probe.Cli -- --host localhost --port 8080 --outpu
 Results stream to the console as each test completes, with a summary at the end:
 
 ```
-Score: 97/97  19 warnings  (116 tests, 35.5s)
+Score: 97/97  19 warnings  (146 tests, 35.5s)
 ```
 
 ## Building
 
@@ -0,0 +1,45 @@
+---
+title: "CHUNKED-HEX-UPPERCASE"
+description: "CHUNKED-HEX-UPPERCASE test documentation"
+weight: 12
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-CHUNKED-HEX-UPPERCASE` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §7.1](https://www.rfc-editor.org/rfc/rfc9112#section-7.1) |
+| **Requirement** | MUST accept |
+| **Expected** | `2xx` |
+
+## What it sends
+
+A valid chunked POST where the chunk size is expressed using an uppercase hexadecimal digit: `A` (which equals 10 in decimal), followed by exactly 10 bytes of data.
+
+```http
+POST / HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+A\r\n
+helloworld\r\n
+0\r\n
+\r\n
+```
+
+The chunk size `A` is uppercase hex for 10. The chunk data `helloworld` is exactly 10 bytes.
+
+## What the RFC says
+
+> "chunk-size = 1*HEXDIG" -- RFC 9112 Section 7.1
+
+`HEXDIG` is defined as `DIGIT / "A" / "B" / "C" / "D" / "E" / "F"` (case-insensitive per RFC 5234 ABNF conventions). Both `a` and `A` represent the decimal value 10. A compliant chunked parser must accept hex digits in any case.
+
+## Why it matters
+
+While most chunk sizes in practice are small decimal numbers (like `5` or `1a`), the grammar allows any combination of uppercase and lowercase hex digits. A parser that only handles lowercase hex, or only decimal digits, will fail on legitimate chunked bodies. This is a basic interoperability requirement for any HTTP/1.1 implementation.
+
+## Sources
+
+- [RFC 9112 §7.1 -- Chunked Transfer Coding](https://www.rfc-editor.org/rfc/rfc9112#section-7.1)
+- [RFC 5234 -- ABNF (HEXDIG definition)](https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1)
@@ -0,0 +1,53 @@
+---
+title: "CHUNKED-TRAILER-VALID"
+description: "CHUNKED-TRAILER-VALID test documentation"
+weight: 11
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-CHUNKED-TRAILER-VALID` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §7.1.2](https://www.rfc-editor.org/rfc/rfc9112#section-7.1.2) |
+| **Requirement** | MUST accept |
+| **Expected** | `2xx` |
+
+## What it sends
+
+A valid chunked POST with a single 5-byte chunk, a zero terminator, and a trailer field (`X-Checksum: abc`) after the final chunk.
+
+```http
+POST / HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\r\n
+hello\r\n
+0\r\n
+X-Checksum: abc\r\n
+\r\n
+```
+
+The trailer section appears between the zero-length terminating chunk and the final empty line.
+
+## What the RFC says
+
+> "A trailer section allows the sender to include additional fields at the end of a chunked message in order to supply metadata that might be dynamically generated while the content is sent." -- RFC 9112 Section 7.1.2
+
+The chunked encoding grammar explicitly includes an optional trailer section:
+
+```
+chunked-body = *chunk last-chunk trailer-section CRLF
+trailer-section = *( field-line CRLF )
+```
+
+Trailer fields are valid metadata that follow the zero-length terminating chunk. A compliant HTTP/1.1 server must be able to parse them, even if it chooses to discard them.
+
+## Why it matters
+
+Trailer fields are used in practice for checksums, signatures, and streaming metadata that cannot be known until the body has been fully generated. A server that rejects a valid chunked body just because it contains a trailer section has an incomplete chunked encoding parser. This can break interoperability with legitimate clients and proxies that use trailers.
+
+## Sources
+
+- [RFC 9112 §7.1.2 -- Chunked Trailer Section](https://www.rfc-editor.org/rfc/rfc9112#section-7.1.2)
+- [RFC 9110 Section 6.5 -- Trailer Fields](https://www.rfc-editor.org/rfc/rfc9110#section-6.5)
@@ -0,0 +1,39 @@
+---
+title: "CONNECTION-CLOSE"
+description: "CONNECTION-CLOSE test documentation"
+weight: 6
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-CONNECTION-CLOSE` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §9.3](https://www.rfc-editor.org/rfc/rfc9112#section-9.3) |
+| **Requirement** | MUST |
+| **Expected** | `2xx` + connection closed |
+
+## What it sends
+
+A standard GET request with `Connection: close` indicating the client wants the server to close the connection after sending the response.
+
+```http
+GET / HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Connection: close\r\n
+\r\n
+```
+
+## What the RFC says
+
+> "A server that receives a 'close' connection option MUST initiate a close of the connection after it sends the final response to the request in which the 'close' was received." -- RFC 9112 Section 9.3
+
+The server must both respond successfully and close the TCP connection afterward. Responding with `2xx` but leaving the connection open violates this requirement.
+
+## Why it matters
+
+If a server ignores `Connection: close` and keeps the connection alive, a client may send a second request on what it believes is a new connection. In proxy environments, this can lead to response mismatch: the proxy believes the connection is closed and assigns it to a different client, who then receives the first client's response. Honoring `Connection: close` is essential for correct connection lifecycle management.
+
+## Sources
+
+- [RFC 9112 §9.3 -- Persistence](https://www.rfc-editor.org/rfc/rfc9112#section-9.3)
+- [RFC 9110 Section 7.6.1 -- Connection](https://www.rfc-editor.org/rfc/rfc9110#section-7.6.1)
@@ -0,0 +1,42 @@
+---
+title: "HTTP10-DEFAULT-CLOSE"
+description: "HTTP10-DEFAULT-CLOSE test documentation"
+weight: 7
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-HTTP10-DEFAULT-CLOSE` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §9.3](https://www.rfc-editor.org/rfc/rfc9112#section-9.3) |
+| **Requirement** | SHOULD |
+| **Expected** | `2xx` + connection closed |
+
+## What it sends
+
+An HTTP/1.0 GET request without a `Connection: keep-alive` header.
+
+```http
+GET / HTTP/1.0\r\n
+Host: localhost:8080\r\n
+\r\n
+```
+
+## What the RFC says
+
+HTTP/1.0 connections are not persistent by default. Unlike HTTP/1.1, where persistent connections are the default, an HTTP/1.0 client must explicitly request persistence via `Connection: keep-alive`.
+
+> "If the received protocol is HTTP/1.0, the 'close' connection option is to be assumed." -- RFC 9112 Section 9.3
+
+Without `Connection: keep-alive`, the server should treat the connection as non-persistent and close it after delivering the response.
+
+**Pass:** Server responds `2xx` and closes the connection.
+**Warn:** Server responds `2xx` but keeps the connection open (minor violation of SHOULD).
+
+## Why it matters
+
+If a server treats HTTP/1.0 connections as persistent by default, it may hold the connection open indefinitely waiting for another request that will never come, wasting resources. More critically, in proxy chains, a downstream server keeping an HTTP/1.0 connection alive when the proxy expects it to close can cause response desynchronization.
+
+## Sources
+
+- [RFC 9112 §9.3 -- Persistence](https://www.rfc-editor.org/rfc/rfc9112#section-9.3)
@@ -0,0 +1,40 @@
+---
+title: "HOST-EMPTY-VALUE"
+description: "HOST-EMPTY-VALUE test documentation"
+weight: 6
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-HOST-EMPTY-VALUE` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
+| **Requirement** | MUST |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with a `Host` header present but with an empty value.
+
+```http
+GET / HTTP/1.1\r\n
+Host: \r\n
+\r\n
+```
+
+The `Host` header line exists, but its value is empty (nothing between the colon and CRLF).
+
+## What the RFC says
+
+> "A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field line or a Host header field with an invalid field value." -- RFC 9112 Section 3.2
+
+An empty Host value is invalid when the request-target is in origin-form. The host identification is effectively absent, making the server unable to determine which virtual host is being addressed.
+
+## Why it matters
+
+A Host header with an empty value is functionally equivalent to having no Host header at all. If a server accepts this, it may fall back to a default virtual host, potentially serving content from an unintended application. In multi-tenant environments, this can lead to information disclosure or incorrect routing.
+
+## Sources
+
+- [RFC 9112 Section 3.2 -- Request Target](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)
+- [RFC 9110 Section 7.2 -- Host and :authority](https://www.rfc-editor.org/rfc/rfc9110#section-7.2)
@@ -0,0 +1,44 @@
+---
+title: "HTTP10-NO-HOST"
+description: "HTTP10-NO-HOST test documentation"
+weight: 7
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-HTTP10-NO-HOST` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 §3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
+| **Requirement** | MAY (unscored) |
+| **Expected** | `200` = Warn, `400` = Pass |
+
+## What it sends
+
+An HTTP/1.0 request with no `Host` header at all.
+
+```http
+GET / HTTP/1.0\r\n
+\r\n
+```
+
+No `Host` header is present, and the HTTP version is 1.0.
+
+## What the RFC says
+
+The `Host` header requirement was introduced in HTTP/1.1. HTTP/1.0 predates this requirement, so an HTTP/1.0 request without a `Host` header is not technically a protocol violation:
+
+> "A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field..." -- RFC 9112 Section 3.2
+
+Note the requirement explicitly says "HTTP/1.1 request message." For HTTP/1.0, the server may choose to accept the request (routing to a default virtual host) or reject it.
+
+**Pass:** Server rejects with `400` (strict -- good security practice).
+**Warn:** Server accepts with `200` (valid -- HTTP/1.0 did not require Host).
+
+## Why it matters
+
+In a virtual hosting environment, a request without a `Host` header gives the server no indication of which site is being targeted. Accepting such requests means the server must fall back to a default host, which could serve unintended content. Rejecting HTTP/1.0 requests without `Host` is the safer approach, especially since legitimate modern clients always send a `Host` header regardless of HTTP version.
+
+## Sources
+
+- [RFC 9112 §3.2 -- Request Target](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)
+- [RFC 9110 Section 7.2 -- Host and :authority](https://www.rfc-editor.org/rfc/rfc9110#section-7.2)
@@ -1,37 +1,38 @@
 ---
-title: "CHUNK-EXTENSION-LONG"
-description: "CHUNK-EXTENSION-LONG test documentation"
+title: "CHUNK-EXT-64K"
+description: "CHUNK-EXT-64K test documentation"
 weight: 18
 ---
 
 | | |
 |---|---|
-| **Test ID** | `MAL-CHUNK-EXTENSION-LONG` |
+| **Test ID** | `MAL-CHUNK-EXT-64K` |
 | **Category** | Malformed Input |
 | **Expected** | `400`/`431` or close |
 
 ## What it sends
 
-A chunked request with a chunk extension containing 100KB of data.
+A chunked request with a chunk extension containing 64KB (65,536 bytes) of data.
 
 ```http
 POST / HTTP/1.1\r\n
 Host: localhost:8080\r\n
 Transfer-Encoding: chunked\r\n
 \r\n
-5;ext=AAAA...{100,000 × 'A'}...\r\n
+5;ext=aaaa...{65,536 x 'a'}...\r\n
 hello\r\n
 0\r\n
 \r\n
 ```
 
-The chunk extension value is 100,000 bytes of `A` characters.
+The chunk extension value is 65,536 bytes of `a` characters.
 
 
 ## Why it matters
 
-While chunk extensions are syntactically valid per RFC 9112 Section 7.1.1, a 100KB extension is pathological. A robust server should reject unreasonably large chunk extensions to prevent resource exhaustion and denial of service.
+While chunk extensions are syntactically valid per RFC 9112 Section 7.1.1, a 64KB extension is pathological. A robust server should reject unreasonably large chunk extensions to prevent resource exhaustion and denial of service. CVE-2023-39326 demonstrated that Go's `net/http` library could be exploited via large chunk extensions to cause excessive memory consumption and DoS.
 
 ## Sources
 
-- RFC 9112 Section 7.1.1 — chunk extensions
+- [RFC 9112 Section 7.1.1 — chunk extensions](https://www.rfc-editor.org/rfc/rfc9112#section-7.1.1)
+- [CVE-2023-39326 — Go net/http chunk extension DoS](https://nvd.nist.gov/vuln/detail/CVE-2023-39326)
@@ -0,0 +1,34 @@
+---
+title: "POST-CL-HUGE-NO-BODY"
+description: "POST-CL-HUGE-NO-BODY test documentation"
+weight: 26
+---
+
+| | |
+|---|---|
+| **Test ID** | `MAL-POST-CL-HUGE-NO-BODY` |
+| **Category** | Malformed Input |
+| **RFC** | [RFC 9112 Section 6.2](https://www.rfc-editor.org/rfc/rfc9112#section-6.2) |
+| **Expected** | `400`/close/timeout |
+
+## What it sends
+
+A POST request declaring a ~1GB body via Content-Length but sending no body data at all.
+
+```http
+POST / HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Content-Length: 999999999\r\n
+\r\n
+```
+
+No body follows the empty line. The connection remains open.
+
+## Why it matters
+
+Tests whether the server pre-allocates memory for the declared body size or waits for data to arrive. A server that allocates 1GB upfront from a Content-Length header is vulnerable to memory exhaustion DoS -- an attacker can send many such requests cheaply to exhaust server memory. The correct behavior is to either stream the body incrementally, reject absurdly large Content-Length values, or timeout waiting for the body data that never arrives.
+
+## Sources
+
+- [RFC 9112 Section 6.2 -- Content-Length](https://www.rfc-editor.org/rfc/rfc9112#section-6.2)
+- [CWE-770 -- Allocation of Resources Without Limits or Throttling](https://cwe.mitre.org/data/definitions/770.html)