Explore the intricacies of HTTP Request Smuggling (HRS) in this comprehensive conference talk from NorthSec 2021. Delve into the latest research on this attack vector, which exploits inconsistencies in HTTP request parsing between proxy components and web backend systems. Learn how attackers can manipulate these differences to execute various malicious activities, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect, and persistent XSS. Examine common risks associated with HRS and discover a range of payload variations through detailed explanations and a live attack demonstration. Gain insights into the crucial role of load balancers and proxies in website performance, and understand how their diverse HTTP protocol parsers can be vulnerable to exploitation. Acquire practical knowledge on detecting faulty configurations using automated tools, empowering developers and system administrators to effectively mitigate request smuggling vulnerabilities. By the end of this 34-minute presentation, security enthusiasts of all levels will have a solid foundation in combating this evolving threat that has significantly progressed over the past 15 years.
Overview
Syllabus
NSEC2021 - Philippe Arteau - Request Smuggling 101
Taught by
NorthSec