n|u - The Open Security Community, profile picture
Uploaded byn|u - The Open Security Community
PPTX, PDF645 views

Http request smuggling

This document discusses HTTP request smuggling vulnerabilities. It begins with an introduction and overview of what will be covered. It then explains where the vulnerability lies in potential desynchronization between how a front-end server and back-end server determine the end of a request. Several examples of different types of desynchronization are provided, including using different content length and transfer encoding headers. Exploitation scenarios and prevention methods are also summarized.

Education
Related topics:
Information Security

Embed presentation

Download to read offline
HTTP Request Smuggling By Kuldeep Pandya
● Worked as a security analyst ● Cop trainer ● Active Null Ahmedabad volunteer ● A neophyte ● Also, a student About me
What are we going to cover? Core concepts Types of request smuggling Practical example of attack Exploitation scenarios Prevention 2 3 4 5 6 Where does the vulnerability lie? 1
A visualization of high-traffic websites example.com example.com example.com’ s load balancer Users Front-end server Back-end server
Vulnerability example.com example.com example.com’ s load balancer Users Front-end server Back-end server
The chunked Transfer-Encoding ● Transfer-Encoding: chunked is used to transfer data in chunks ● For example: 5rn Hellorn 8rn Everyonern 0rn rn Chunk 1 Chunk 2 Terminating Chunk
1. Using Content-Length 2. Using Transfer-Encoding Two ways to decide where the request ends POST / HTTP/1.1 Host: example.com Content-Length: 5 Hello POST / HTTP/1.1 Host: example.com Transfer-Encoding: chunked 5 Hello 8 Everyone 0
Vulnerability ● Vulnerability arises in desynchronization in deciding how the content ends between front-end server and back-end server ● Desynchronisation include: ○ Content-Length - Transfer-Encoding or CL.TE ○ Transfer-Encoding - Content-Length or TE.CL ○ Transfer-Encoding - Transfer-Encoding or TE.TE
CL.TE Desynchronization POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 Hello Actual Request POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 Hello What front-end server sees POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 HelloGET / HTTP/1.1 Host: example.com What back-end server sees
TE.CL Desynchronization POST / HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0 POST / HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0 POST / HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0GET / HTTP/1.1 Host: example.com Actual Request What front-end server sees What back-end server sees
TE.TE Desynchronization POST / HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 Hello POST / HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 Hello POST / HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 HelloGET / HTTP/1.1 Host: example.com Actual Request What front-end server sees What back-end server sees
Hands-on time!
Exploitation ● Open Redirection ● Access control restriction bypass ● Web cache poisoning ● Web cache deception ● Exposing rewritten requests ● Reflected XSS ● Capturing other user’s requests
Prevention 1. Do not use load balancers 2. If used, configure them properly to only accept what is acceptable by both the front-end server and the back-end server 3. Configuring front-end server to normalize ambiguous requests
Special Thanks ● Null Ahmedabad ● James Kettle ● Portswigger web security academy ● Mentors ● SlidesGo
धन्यवाद

More Related Content

PPTX
HTTP Request Smuggling
byAkash Ashokan
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PDF
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
PPTX
Host Header injection - Slides
byAmit Dubey
 
PPTX
Secure Code Warrior - CRLF injection
bySecure Code Warrior
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
HTTP Request Smuggling
byAkash Ashokan
 
Buffer overflow attacks
byJoe McCarthy
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
Cross Site Scripting (XSS)
byBarrel Software
 
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
Host Header injection - Slides
byAmit Dubey
 
Secure Code Warrior - CRLF injection
bySecure Code Warrior
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 

What's hot

PPTX
Xss attack
byManjushree Mashal
 
PPTX
Buffer overflow attacks
byKapil Nagrale
 
PPTX
Burp suite
bySOURABH DESHMUKH
 
PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PPTX
Lfi
bypenetration Tester
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
File inclusion
byAaftabKhan14
 
PPTX
Burpsuite 101
byn|u - The Open Security Community
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PDF
Pentester's Mindset! - Ravikumar Paghdal
byNSConclave
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
Ssrf
byIlan Mindel
 
PPTX
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
PDF
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
Xss attack
byManjushree Mashal
 
Buffer overflow attacks
byKapil Nagrale
 
Burp suite
bySOURABH DESHMUKH
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Lfi
bypenetration Tester
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Attacking thru HTTP Host header
bySergey Belov
 
File inclusion
byAaftabKhan14
 
Burpsuite 101
byn|u - The Open Security Community
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Pentester's Mindset! - Ravikumar Paghdal
byNSConclave
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Ssrf
byIlan Mindel
 
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 

Similar to Http request smuggling

PDF
DEF CON 27- ALBINOWAX - http desync attacks
byFelipe Prado
 
PDF
Http smuggling 1 200523064027
byn|u - The Open Security Community
 
PPTX
HTTP
byaltaykarakus
 
PDF
Http:2.0 101 introduction (workshop) - Bastian Hofmann
byUNICORNS IN TECH
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
HTTP
byTricode (part of Dept)
 
PPT
HTTPProtocol HTTPProtocol.pptHTTPProtocol.ppt
byVietAnhNguyen337355
 
PDF
Web Application Security 101 - 02 The Basics
byWebsecurify
 
PPTX
Cyber Security-Ethical Hacking
byViral Parmar
 
PDF
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PPT
Hypertext Transfer Protocol Hypertext Transfer Protocol
bysambreaker1
 
PPT
HTTP_2.ppt
byAnkit Mune
 
PPT
HTTP (syper text transfer protocol)(6).ppt
byIshaanKumar43
 
PPT
HTTP.ppt
byNapoMosola
 
PPT
HTTP.ppt
byJagdeep Singh
 
PDF
Web I - 05 - HTTP Protocol
byRandy Connolly
 
PPTX
Web-01-HTTP.pptx
byAliZaib71
 
PPTX
Hypertex transfer protocol
bywanangwa234
 
DEF CON 27- ALBINOWAX - http desync attacks
byFelipe Prado
 
Http smuggling 1 200523064027
byn|u - The Open Security Community
 
HTTP
byaltaykarakus
 
Http:2.0 101 introduction (workshop) - Bastian Hofmann
byUNICORNS IN TECH
 
Http requesting smuggling
byApijay Kumar
 
Http requesting smuggling
byApijay Kumar
 
HTTP
byTricode (part of Dept)
 
HTTPProtocol HTTPProtocol.pptHTTPProtocol.ppt
byVietAnhNguyen337355
 
Web Application Security 101 - 02 The Basics
byWebsecurify
 
Cyber Security-Ethical Hacking
byViral Parmar
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
Hypertext Transfer Protocol Hypertext Transfer Protocol
bysambreaker1
 
HTTP_2.ppt
byAnkit Mune
 
HTTP (syper text transfer protocol)(6).ppt
byIshaanKumar43
 
HTTP.ppt
byNapoMosola
 
HTTP.ppt
byJagdeep Singh
 
Web I - 05 - HTTP Protocol
byRandy Connolly
 
Web-01-HTTP.pptx
byAliZaib71
 
Hypertex transfer protocol
bywanangwa234
 

More from n|u - The Open Security Community

PDF
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
PDF
Osint primer
byn|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Metasploit primary
byn|u - The Open Security Community
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
byn|u - The Open Security Community
 
PPTX
Owning a company through their logs
byn|u - The Open Security Community
 
PPTX
Introduction to shodan
byn|u - The Open Security Community
 
PDF
Cloud security
byn|u - The Open Security Community
 
PDF
Detecting persistence in windows
byn|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
PDF
Extensible markup language attacks
byn|u - The Open Security Community
 
PPTX
Linux for hackers
byn|u - The Open Security Community
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
Osint primer
byn|u - The Open Security Community
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Nmap basics
byn|u - The Open Security Community
 
Metasploit primary
byn|u - The Open Security Community
 
Api security-testing
byn|u - The Open Security Community
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
Building active directory lab for red teaming
byn|u - The Open Security Community
 
Owning a company through their logs
byn|u - The Open Security Community
 
Introduction to shodan
byn|u - The Open Security Community
 
Cloud security
byn|u - The Open Security Community
 
Detecting persistence in windows
byn|u - The Open Security Community
 
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
Extensible markup language attacks
byn|u - The Open Security Community
 
Linux for hackers
byn|u - The Open Security Community
 
Android Pentesting
byn|u - The Open Security Community
 

Recently uploaded

PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PDF
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PDF
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
PPTX
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
In this document
Powered by AI

Overview of the presentation by Kuldeep Pandya, detailing his background as a security analyst and volunteer.

Outline of key topics to be covered: core concepts, types of request smuggling, examples, exploitation scenarios, and prevention.

Visualization of high-traffic websites showing front-end and back-end server interactions and potential vulnerabilities.

Explanation of chunked transfer encoding in HTTP requests, detailing how data is sent in chunks.

Details on vulnerabilities arising from request desynchronization based on how content length is interpreted.

Introduction to a practical hands-on session involving HTTP request smuggling.

Various exploitation techniques including open redirection, web cache poisoning, and reflected XSS.

Strategies to prevent HTTP request smuggling including avoiding load balancers and normalizing requests.

Expression of gratitude towards various organizations and mentors for support.

Closing remarks in Hindi.

Http request smuggling

  • 1.
  • 2.
    ● Worked asa security analyst ● Cop trainer ● Active Null Ahmedabad volunteer ● A neophyte ● Also, a student About me
  • 3.
    What are wegoing to cover? Core concepts Types of request smuggling Practical example of attack Exploitation scenarios Prevention 2 3 4 5 6 Where does the vulnerability lie? 1
  • 4.
    A visualization ofhigh-traffic websites example.com example.com example.com’ s load balancer Users Front-end server Back-end server
  • 5.
  • 6.
    The chunked Transfer-Encoding ●Transfer-Encoding: chunked is used to transfer data in chunks ● For example: 5rn Hellorn 8rn Everyonern 0rn rn Chunk 1 Chunk 2 Terminating Chunk
  • 7.
    1. Using Content-Length2. Using Transfer-Encoding Two ways to decide where the request ends POST / HTTP/1.1 Host: example.com Content-Length: 5 Hello POST / HTTP/1.1 Host: example.com Transfer-Encoding: chunked 5 Hello 8 Everyone 0
  • 8.
    Vulnerability ● Vulnerability arisesin desynchronization in deciding how the content ends between front-end server and back-end server ● Desynchronisation include: ○ Content-Length - Transfer-Encoding or CL.TE ○ Transfer-Encoding - Content-Length or TE.CL ○ Transfer-Encoding - Transfer-Encoding or TE.TE
  • 9.
    CL.TE Desynchronization POST /HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 Hello Actual Request POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 Hello What front-end server sees POST / HTTP/1.1 Host: example.com Content-Length: 10 Transfer-Encoding: chunked 0 HelloGET / HTTP/1.1 Host: example.com What back-end server sees
  • 10.
    TE.CL Desynchronization POST /HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0 POST / HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0 POST / HTTP/1.1 Host: example.com Content-Length: 2 Transfer-Encoding: chunked 3 Foo 0GET / HTTP/1.1 Host: example.com Actual Request What front-end server sees What back-end server sees
  • 11.
    TE.TE Desynchronization POST /HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 Hello POST / HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 Hello POST / HTTP/1.1 Host: example.com Content-Length: 8 Transfer-Encoding: chunked Transfer-Encoding: foo 0 HelloGET / HTTP/1.1 Host: example.com Actual Request What front-end server sees What back-end server sees
  • 12.
  • 13.
    Exploitation ● Open Redirection ●Access control restriction bypass ● Web cache poisoning ● Web cache deception ● Exposing rewritten requests ● Reflected XSS ● Capturing other user’s requests
  • 14.
    Prevention 1. Do notuse load balancers 2. If used, configure them properly to only accept what is acceptable by both the front-end server and the back-end server 3. Configuring front-end server to normalize ambiguous requests
  • 15.
    Special Thanks ● NullAhmedabad ● James Kettle ● Portswigger web security academy ● Mentors ● SlidesGo
  • 16.