Some research from Martin Doyhenard at Portswigger, presenting an option to escalate a request smuggling/HTTP desync vulnerability by smuggling a TRACE request.

The HTTP TRACE verb is uncommonly used, but still supported by several servers. The idea of the TRACE verb was for debugging purposes. One could send a TRACE request with a request body, the response body would contain the original request received with any sensitive data such as credentials or cookies stripped out (Cross-Site Tracing used to be a technique for getting access to httpOnly cookies).

The result of this is that a smuggled TRACE request will have control over the response body as the request body will be reflected in it.