HTTP Desync Attacks: Request Smuggling Reborn

Presented at Black Hat Europe 2019, Dec. 4, 2019, 2:30 p.m. (50 minutes).

<p class="p1"><span class="s1">HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties.</span></p><p class="p1"><span class="s1">Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise PayPal's login page.</span></p><p class="p1"><span class="s1">HTTP Request Smuggling was first documented back in 2005, but a fearsome reputation for difficulty and collateral damage left it mostly ignored for years while the web's susceptibility grew. Alongside new attack variants and exploitation vectors, I'll help you tackle this legacy with custom open source tooling and a refined methodology for reliable black-box detection, assessment and exploitation with minimal risk of collateral damage. </span></p><p class="p1"><span class="s1">Finally, I'll take a critical look at various significant developments that occurred after this presentation was first delivered at Black Hat USA earlier this year.</span></p>

Presenters:

  • James Kettle / albinowax - Head of Research, PortSwigger Web Security   as James Kettle
    James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

Links:

Similar Presentations: