HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=x2d7laTqu-U


Duration: 42:36
15 views
0

Amit Klein | VP Security Research, SafeBreach
Date: Wednesday, August 5 | 10:00am-10:40am
Format: 40-Minute Briefings
Tracks: AppSec, Network Security

HTTP Request Smuggling (AKA HTTP Desyncing) is an attack technique invented in 2005 that exploits different interpretations of a stream non-standard HTTP requests among various HTTP devices between the client (attacker) and the server (including the server itself). It can be used to smuggle requests across WAFs and security solutions, poison HTTP caches, inject responses to users and hijack user requests.

You'd think that HTTP Request Smuggling should be difficult to find in 2020. After all, protecting against HTTP Request Smuggling is all about having an HTTP parser adhering to the RFC standards. And with James Kettle's presentation in Black Hat 2019 which put the issue back in the limelight, awareness must be high these days. Even more so with COTS software which can easily be reviewed and patched by its vendor.

Not so.

In this presentation, I demonstrate four new HTTP Request Smuggling attack variants that work against COTS, popular, present-day web servers and HTTP proxy servers. I also describe a successful attack with an old variant, and I demonstrate a circumvention of an existing HTTP Request Smuggling protection for a free, open source application security solution.

I then discuss the shortcomings of existing free, open source solutions for HTTP Request Smuggling, and describe and share my C++ "Request Smuggling Firewall" class library that can be injected to any user-space process (web server or proxy server) to provide robust socket-level protection against HTTP Request Smuggling. My class library is extensible beyond HTTP Request Smuggling, and in fact beyond HTTP.

Finally, I describe some anomalies I found in various web servers and proxy servers, and challenge the security research community to find a "matching" software to make them into full HTTP Request Smuggling attacks.

Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-10Policy Implications of Faulty Cyber Risk Models and How to Fix Them
2022-01-10Heroku Abuse Operations Hunting Wolves in Sheep's Clothing
2022-01-10Portable Document Flaws 101
2022-01-10Hiding Process Memory via Anti Forensic Techniques
2022-01-10How I Created My Clone Using AI Next Gen Social Engineering
2022-01-10Practical Defenses Against Adversarial Machine Learning
2022-01-10iOS Kernel PAC, One Year Later Copy
2022-01-10Remote Timing Attacks on TPMs, AKA TPM Fail
2022-01-09Black-Box Laser Fault Injection on a Secure Memory
2022-01-09EdTech- The Ultimate APT
2022-01-09HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges
2022-01-09Making an Impact from India to the Rest of the World by Building & Nurturing Women Infosec Community
2022-01-09Election Security: Securing America's Future
2022-01-09Breaking Brains, Solving Problems: Lessons Learned from Two Years for InfoSec Professionals
2022-01-09Emulating Samsung's Baseband for Security Testing
2022-01-09Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys
2022-01-09Mind Games Using Data to Solve for the Human Element
2022-01-09Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot
2022-01-09I calc'd Calc - Exploiting Excel Online
2022-01-09Engineering Empathy: Adapting Software Engineering Principles and Process to Security
2022-01-09Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
password
code
web
concept
protection
network
fraud
malware
secure
software
access
system
firewall
communication
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Amit Klein
HTTP Request
smuggling
variants
defenses
HTTP parser
RFC standards