Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Response Smuggling - Pwning HTTP/1.1 Connections

Hack In The Box Security Conference via YouTube

Overview

Explore advanced HTTP response smuggling techniques in this 55-minute conference talk from Hack In The Box Security Conference. Delve into a new approach focusing on response pipeline desynchronization, an unexplored attack vector in HTTP Smuggling. Discover a Desync variant exploiting a vulnerability in the HTTP protocol itself, reported under Google's Vulnerability Reward Program. Learn how to inject multiple messages at the backend server, hijack user sessions, and increase attack reliability. Examine the novel Response Scripting technique for creating custom malicious outbound messages using static responses. Watch a live demonstration showcasing how to gain control over two major ERP systems. Gain insights from security researcher Martin Doyhenard's expertise in Web security and reverse engineering, including his work on SAP and Oracle products.

Syllabus

Introduction
Agenda
What is Response Smuggling
Connection Headers
Exploits
Request Smuggling
Desynchronization
Synchronization Attack
Synchronization Attack Example
Demo
Cache Control Demo
In Real Systems
Video Demo
New Response
Conclusions
Questions

Taught by

Hack In The Box Security Conference

Reviews

Start your review of Response Smuggling - Pwning HTTP/1.1 Connections

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.