Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about

Presented at DEF CON 24 (2016), Aug. 7, 2016, 11 a.m. (60 minutes).

HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can beexploited for bad things; we'll play with HTTP to inject unexpectedcontent in the user browser, or perform actions in his name.

If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.


Presenters:

Links:

Similar Presentations: