It's possible to traverse all HTTP rules by using CR ('\r') as a space characters in requests.
vulners.com/securityvulns/securityvulns:doc:12938
vulners.com/securityvulns/securityvulns:doc:12960