HTTP Desync Attacks: Smashing into the Cell Next Door

HTTP Desync Attacks can be used by remote, unauthenticated attackers to splice their requests into others, play puppeteer with web infrastructure, and harvest bug bounties. The speaker shares new tools and techniques to desynchronize complex systems and make websites rain exploits on their visitors.

• HTTP requests are traditionally viewed as isolated, standalone entities, but attackers can smash through this isolation and splice their requests into others
• HTTP Desync Attacks can be used to play puppeteer with web infrastructure and harvest bug bounties
• The speaker shares new tools and techniques to desynchronize complex systems and make websites rain exploits on their visitors
• The speaker provides anecdotes of successful bug bounties and interesting reactions from website owners
• The speaker aims to demystify HTTP Desync Attacks and equip attendees to devise their own desync techniques and tailor attacks to their target of choice

The speaker shares an anecdote of a website owner who thought the vulnerability submitted to him was fake and another who took the technique and applied it to other bug bounty sites behind the speaker's back to earn pocket money. The speaker had no idea until the person ran into a technical problem and pretended to be someone else to ask for help, which did not work out well.

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties. Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.