HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 10 a.m. (40 minutes).

HTTP Request Smuggling (AKA HTTP Desyncing) is an attack technique invented in 2005 that exploits different interpretations of a stream non-standard HTTP requests among various HTTP devices between the client (attacker) and the server (including the server itself). It can be used to smuggle requests across WAFs and security solutions, poison HTTP caches, inject responses to users and hijack user requests.

You'd think that HTTP Request Smuggling should be difficult to find in 2020. After all, protecting against HTTP Request Smuggling is all about having an HTTP parser adhering to the RFC standards. And with James Kettle's presentation in Black Hat 2019 which put the issue back in the limelight, awareness must be high these days. Even more so with COTS software which can easily be reviewed and patched by its vendor.

Not so.

In this presentation, I demonstrate four new HTTP Request Smuggling attack variants that work against COTS, popular, present-day web servers and HTTP proxy servers. I also describe a successful attack with an old variant, and I demonstrate a circumvention of an existing HTTP Request Smuggling protection for a free, open source application security solution.

I then discuss the shortcomings of existing free, open source solutions for HTTP Request Smuggling, and describe and share my C++ "Request Smuggling Firewall" class library that can be injected to any user-space process (web server or proxy server) to provide robust socket-level protection against HTTP Request Smuggling. My class library is extensible beyond HTTP Request Smuggling, and in fact beyond HTTP.

Finally, I describe some anomalies I found in various web servers and proxy servers, and challenge the security research community to find a "matching" software to make them into full HTTP Request Smuggling attacks.


Presenters:

  • Amit Klein - VP Security Research, SafeBreach
    Amit Klein is a world renowned information security expert, with 29 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration, and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was Chief Scientist for Cyota (acquired by RSA) for 2 years, and prior to that, Director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at Black Hat USA, DEF CON, Usenix, NDSS, InfoCom, DSN, HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG, and AusCERT.

Links:

Similar Presentations: