Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes).

The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end... until now.

In this session, I'll show you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You'll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques, I'll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

This new frontier offers both new opportunities and new challenges. While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I'll share a battle-tested methodology combining browser features and custom open-source tooling. We'll also release free online labs to help hone your new skillset.

I'll also share the research journey, uncovering a strategy for black-box analysis that solved several long-standing desync obstacles and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass client-side, server-side, and even MITM attacks; to wrap up, I'll live-demo breaking HTTPS on Apache.


Presenters:

  • James Kettle / albinowax - Director of Research, PortSwigger   as James Kettle
    James 'albinowax' Kettle is the Director of Research at PortSwigger. His latest work includes HTTP/2 desync attacks and web cache poisoning. James has extensive experience cultivating novel attack techniques, including RCE via Server-Side Template Injection, and abusing the HTTP Host header to poison password reset emails and server-side caches. James is also the author of various popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.

Links:

Similar Presentations: