![]() My team has built an Academy topic with live replicas of key vulnerabilities, so you can practise online for free.This paper introduces a lot of techniques, and I'm keen to make sure they work for you. We've also covered the core, must-read aspects of this topic in our Web Security Academy. This research is built on concepts introduced in HTTP Desync Attacks and HTTP/2: The Sequel is Always Worse - you may find it's worth referring back to those whitepapers if anything doesn't make sense. All bug bounties earned during our research are donated to charity. All vulnerabilities referenced in this paper have been reported to the relevant vendors, and patched unless otherwise mentioned. This encompasses all client-side desync attacks, plus some server-side ones.Īs case studies, I'll target quite a few real websites. In this paper I'll use the term "browser-powered desync attack" as a catch-all term referring to all desync attacks that can be triggered via a web browser. Pause-based desync introduces a new desync technique affecting Apache and Varnish, which can be used to trigger both server-side and client-side desync exploits.Ĭonclusion offers practical advice for mitigating these threats, and potential variations which haven't yet been discovered. HTTP handling anomalies covers the sequence of novel vulnerabilities and attack techniques that led to the core discovery of browser-powered desync attacks, plus severe flaws in and AWS Application Load Balancer.Ĭlient-side desync introduces a new class of desync that poisons browser connection pools, with vulnerable systems ranging from major CDNs down to web VPNs. You can also read this post formatted as a printable whitepaper, suitable for offline reading, and the slides are also available. ![]() This research was presented live at Black Hat USA 2022 and DEF CON 30: To wrap up, I'll demo mangling HTTPS to trigger an MITM-powered desync on Apache. The resulting fallout will encompass client-side, server-side, and even MITM attacks. I'll also share the research journey, uncovering a strategy for black-box analysis that solved a long-standing desync obstacle and unveiled an extremely effective novel desync trigger. We'll also release free online labs to help hone your new skillset. To help, I'll share a battle-tested methodology combining browser features and custom open-source tooling. ![]() While some classic desync gadgets can be adapted, other scenarios force extreme innovation. This new frontier offers both new opportunities and new challenges. With these techniques I'll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs. ![]() You'll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. In this paper, I'll show you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end. The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |