The presentation discusses various techniques for smuggling headers and requests through to the back end of servers, including HTTP 2 to 81 downgrades, cache poisoning, and CL.CL request smuggling. The speaker also addresses assumptions made in their research and provides references for further reading.
- Smuggling research focused on HTTP 2 to 81 downgrades and new ways to sneak headers through to the back end
- Cache poisoning allows an attacker to overwrite responses in a cache with their own controlled value
- CL.CL request smuggling involves using two content length headers to affect other users' requests
- Assumptions made in the research include different errors from front and back end servers, all headers being passed the same, and all servers passing the content length header
- References are provided for further reading
The speaker demonstrates how an attacker can use cache poisoning to target a victim using CloudFront or any other caching proxy, overwriting responses in their cache with any value completely under the attacker's control.