| SSRF | Internal service access, cloud metadata, protocol smuggling |
| HTTP Smuggling | CL.TE, TE.CL, TE.TE, CL.0, H2.CL, h2c, multi-layer proxy chains, connection pooling desync |
| Path Traversal | Directory traversal, null bytes, encoding bypass |
| File Upload | Extension bypass, content-type manipulation, polyglot files |
| Deserialization | Java, PHP, Python, .NET gadget chains |
| Host Header | Password reset poisoning, cache poisoning, routing-based SSRF |
| CUPS / cups-browsed | CVE-2024-47076/47175/47176/47177 — UDP browse → IPP injection → PPD injection → foomatic-rip RCE (see skills/infrastructure/reference/scenarios/network-recon/cups-browsed-rce.md) |