Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Practical HTTP Header Smuggling - Sneaking Past Reverse Proxies to Attack AWS and Beyond

Black Hat via YouTube

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore the intricacies of HTTP header smuggling in this 27-minute Black Hat conference talk. Delve into how web application vulnerabilities arise from flawed implementations of proxy servers handling HTTP headers. Learn about recent developments in header smuggling techniques and their potential for triggering exploitable behaviors. Discover practical examples of mutation techniques, including identity, space before colon, and header name junk. Follow a methodology for detecting and exploiting header smuggling vulnerabilities, including generating back-end errors and comparing responses. Examine real-world case studies, such as an AWS Cognito partial rate limit bypass and cache poisoning with API Gateway. Gain insights into detecting CL.CL request smuggling and understand potential defenses against these attacks. Equip yourself with valuable knowledge to enhance web application security and protect against sophisticated header smuggling exploits.

Syllabus

Intro
Outline
Web Application Architecture
What is Header Smuggling?
Mutation examples: Identity
Mutation examples: Space before colon
Mutation examples: Header name junk
Methodology Aims
Methodology Example
Generate a Back-End Error
Base Request Comparison A valid value in the mutated header produces the same resuk
Error Comparison
Guess Headers
AWS Cognito Partial Rate Limit Bypass
Cache Poisoning With API Gateway
What happens when we introduce a cache?
Detecting CL.CL Request Smuggling
The Bug
Generate the First Error
Defences
References

Taught by

Black Hat

Reviews

Start your review of Practical HTTP Header Smuggling - Sneaking Past Reverse Proxies to Attack AWS and Beyond

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.