I started the internship having never worked with web servers, and have now found over 100 HTTP implementation bugs. I attribute this mostly to the ease of experimentation in the Garden. REPL-oriented fuzzing is just a really good interface for finding parsing bugs. It's pretty neat to able to run a differential fuzzer, categorize and display all the discovered discrepancies, then let a human pick through them and interact with fuzz targets to test whether the bugs are exploitable.
Some notable server combinations in which we discovered new request smuggling attacks include Google Cloud <-> Node.js, Akamai <-> Node.js, [almost anything] <-> LiteSpeed, and OpenBSD relayd <-> [anything].
We also found an infinite loop DoS in Cesanta Mongoose that affects all configurations, and a null pointer dereference that can crash any OpenBSD httpd server that uses FastCGI.
