Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 10 a.m.
(20 minutes).
Modern web applications don’t just expose APIs, they expose attack paths. Recursive Request Exploits (RRE) are a new class of attack that weaponizes interdependent web requests to systematically bypass authentication, authorization, and payment controls.
This talk introduces RRE, a methodology that automates recursive request discovery, maps hidden relationships between API and web calls, and exploits overlooked logic flaws. Using a real-world case study, we’ll show how this technique was used to bypass premium paywalls on a major streaming platform without requiring authentication or hacking DRM.
But this isn’t just a one-off streaming exploit, RRE exposes a fundamental flaw in how checkout logic is enforced across e-commerce and digital subscriptions. By chaining requests together in unintended ways, attackers can exploit blind spots in authentication, entitlement, and payment flows to gain unauthorized access. What was once considered security through obscurity is now an active attack surface.
We’ll release exploit code, via a Burp Suite extension, that automates RRE discovery and exploitation, giving security professionals the tools to both weaponize and defend against these attacks.
Presenters:
-
Farzan Karimi
Farzan Karimi has 20 years experience in offensive security. He is currently the Senior Director of Attack Operations at Moderna. Formerly, he managed the Android Red Team at Google and the red team at Electronic Arts.
Farzan has been interviewed by Wired Magazine and was featured on Ted Danson's Advancements. He is an avid speaker at security conferences such as DEFCON and Black Hat USA, where he presented on the topics of Pixel exploitation and cellular security.