HTTP Desync Attacks: Request Smuggling Reborn

Conference:  BlackHat EU 2019



The presentation discusses the technique of request smuggling and its potential vulnerabilities in modern websites. It provides a methodology for detecting and exploiting these vulnerabilities, as well as defense mechanisms to prevent them.
  • Modern websites use a chain of web servers speaking HTTP over a stream-based transport layer protocol like TCP or TLS, which can lead to vulnerabilities in the system
  • Request smuggling is a technique that can be used to bypass security roles and spoof IP addresses
  • The presentation provides a methodology for detecting and exploiting these vulnerabilities, including using timing techniques and multiple request techniques
  • Defense mechanisms to prevent request smuggling attacks are also discussed
The presenter shares anecdotes of exploiting real websites using request smuggling, including bypassing security roles and spoofing IP addresses. They also discuss the potential for false positives and false negatives when using this technique.


HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties.Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise PayPal's login page.HTTP Request Smuggling was first documented back in 2005, but a fearsome reputation for difficulty and collateral damage left it mostly ignored for years while the web's susceptibility grew. Alongside new attack variants and exploitation vectors, I'll help you tackle this legacy with custom open source tooling and a refined methodology for reliable black-box detection, assessment and exploitation with minimal risk of collateral damage. Finally, I'll take a critical look at various significant developments that occurred after this presentation was first delivered at Black Hat USA earlier this year.