Conference:  Defcon 31

Authors: James Kettle Director of Research, PortSwigger

2023-08-01

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs at high-profile websites to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. To handle this explosion of attack surface, I'll share a polished methodology designed to help you eke out subtle tell-tale clues and scent blood long before sacrificing anything to the RNG gods. I've also taken lore amassed over years of research into HTTP Desync Attacks and developed a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release free online labs so you can try out your new skillset immediately.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Teju Nareddy

2022-10-25

Envoy developers use coverage-guided fuzz tests to automatically discover parser bugs and harden Envoy for production deployments.

• Service proxies are becoming increasingly complex data parsers
• Envoy supports HTTP protocol translation, payload decompression, gRPC-JSON transcoding, and many other features that operate directly on raw request bytes
• Malicious HTTP requests may trigger undefined behavior, resulting in service mesh downtime
• Coverage-guided fuzz tests capture intricate corner cases that a developer may have missed
• Integration with OSS Fuzz provides continuous fuzz testing and vulnerability reports
• Continuous fuzzing is essentially running fuzzers 24/7 in the background
• Coverage-guided fuzzers employ a feedback loop to generate inputs based on code coverage
• Optimization problem: fuzzers are trying to optimize against the input space and the loss function is inversely proportional to code coverage

Conference:  CloudOpen 2022

Authors: Chenxi Li

2022-06-21

HTTP(S) is one of the most popular application protocols. Many well-known applications, such as Kubernetes and TiDB, heavily rely on the HTTP(s) protocol. However, HTTP connections might fail due to various faults, such as network aborts, long delays, or even man-in-the-middle attacks, causing services unavailable to users. In such cases, simulating HTTP faults with a chaos engineering tool can be extremely beneficial to ensure the robustness and resilience of the application, particularly distributed ones. In this talk, Chenxi Li will show how to implement the HTTPChaos, a chaos engineering mechanism that injects faults into common HTTP applications without any configurations. The theory and rust implementation of a transparent proxy, the hijack solution of HTTPS services on Kubernetes, and the plugins used to inject the message body as custom requirements will also be covered.