Request Smuggling 101 • NorthSec 2024

Retour à la liste des conférenciers et sessions
Écoutez la diffusion

This presentation provides an overview of the latest research on HTTP Request Smuggling (HRS), an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. The attack occurs when, for the same stream, the proxy component sees one request while the web backend component sees two distinct requests. The most common risks will be presented, along with a set of payload variations and a live attack demonstration.

Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx, play a crucial role in website performance, and they all have different HTTP protocol parser implemented. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.

In this presentation, we will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enable multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in-action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.

By the end of this talk, security enthusiasts from any level will have solid foundations to mitigate request smuggling, a vulnerability that has greatly evolved in the past 15 years.