Connect with us
X
Categories:

Technology

Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks

Published

on

Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks
Share this post:

Renowned researcher James Kettle demonstrates his latest attack technique in Las Vegas.

A new class of HTTP request smuggling attack allowed a security researcher to compromise multiple popular websites including Amazon and Akamai, break TLS, and exploit Apache servers.

Speaking at Black Hat USA yesterday (August 10), James Kettle unveiled research that opens the new frontier in HTTP request smuggling – browser-powered desync attacks.

The briefing and it’s whitepaper, titled ‘Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling’, builds on Kettle’s previous research into desync attacks.

 

Traditional desync attacks poison the connection between a front-end and back-end server and are therefore impossible on websites that don’t use a front-end/back-end architecture.

However this new technique causes a desync between the front-end and the browser, allowing an attacker to “craft high-severity exploits without relying on malformed requests that browsers will never send”, Kettle noted.

This can expose a whole new range of websites to server-side request smuggling and enables an attacker to perform client-side variations of these attacks by inducing a victim’s browser to poison its own connection to a vulnerable web server.

Kettle demonstrated how he was able to turn a victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks.

He was able to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms – in turn compromising targets including Amazon, Apache, Akamai, Varnish, and multiple web VPNs.

Discovery

Kettle told attendees at the 25th anniversary of the annual hacking conference that four separate vulnerabilities led to the discovery of browser-powered desync attacks.

The first, involving request validation, leverages a technique in which an attacker can use two requests down the same connection with a valid host header in order to gain access to the host in the second request, because the reverse proxy only validates the first host.

The second, first-request routing, is a closely related flaw which occurs when the front-end uses the first request’s Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

Kettle also discovered a technique to detect connection-locked request smuggling by using a delay and reading the data early to decide if the front-end is using the Content-Length header.

If it is using the Content-Length it will time out, which will signify the difference between connection-locked HTTP/1 request smuggling and harmless HTTP pipelining.

A fourth vulnerability caused a desync known as CL.0/H2.0. Kettle was able to use this to compromise Amazon users’ accounts, enabling him to steal users’ requests and add them to his shopping list. He could capture all their requests, including tokens which could have enabled him to impersonate those users.

Speaking to Daily Swig, Kettle said: “I was really surprised that it was possible to cause a CL.0 desync and also a client-side desync using a legitimate, valid HTTP request.

“It’s understandable when servers get confused by requests that use header obfuscation to hit edge-cases, but getting desync’d by a completely valid, RFC-compliant HTTP request is something else.”

‘Much cooler’ exploit

Kettle reported this issue to Amazon, which fixed it, but he soon realized that he had “made a terrible mistake and missed out on a much cooler potential exploit”.

RECOMMENDED  Black Hat USA: Ox4Shell, a Log4j de-obfuscator, "dramatically" cuts down on analysis time

“The attack request was so vanilla that I could have made anyone’s web browser issue it using fetch(),” Kettle noted in a whitepaper.

“By using the HEAD technique on Amazon to create an XSS gadget and execute JavaScript in victim’s browsers, I could have made each infected victim re-launch the attack themselves, spreading it to numerous others.

“This would have released a desync worm – a self-replicating attack which exploits victims to infect others with no user-interaction, rapidly exploiting every active user on Amazon.

“I wouldn’t advise attempting this on a production system, but it could be fun to try on a staging environment. Ultimately this browser-powered desync was a cool finding, a missed opportunity, and also a hint at a new attack class.”

 

Most server-side desyncs can only be triggered by a custom HTTP client issuing a malformed request, but as Kettle proved with Amazon, it is sometimes possible to create a browser-powered server-side desync.

This enables exploitation of single-server websites, which Kettle noted “is valuable because they’re often spectacularly poor at HTTP parsing”.

“A client-side desync attack starts with the victim visiting the attacker’s website, which then makes their browser send two cross- domain requests to the vulnerable website,” Kettle explained.

“The first request is crafted to desync the browser’s connection and make the second request trigger a harmful response, typically giving the attacker control of the victim’s account.”

 

Kettle also demonstrated how he was able to carry out a pause-based desync attack, which occurs if a server doesn’t close a connection when timing out. If an attacker issues half of the request and pauses, the server times out and leaves the socket open. They can then issue the second half of the request that is issued as a new request.

Kettle also demonstrated how he was able to perform a client-side pause-based desync attack, where he broke TLS performing a manipulator-in-the-middle (MiTM) attack but instead of trying to decrypt the traffic, caused a delay when a specific packet size is encountered which can cause a client-side pause desync attack, which he successfully carried out on Apache.

He also automated detection of these client-side and identified a range of real vulnerable websites, including Akamai, Cisco’s web VPN, and Pulse Secure VPN.

Kettle told Daily Swig that he plans to do a few followup research drops continuing the request smuggling theme over the next couple of months, but that his next major research project “will target something entirely different”.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

iQoo 12: Global version of ex-flagship smartphone upgrades to Android 15
Technology3 hours ago

iQoo 12: Global version of ex-flagship smartphone upgrades to Android 15

RedMagic 10 Pro and RedMagic 10 Pro Plus to follow RedMagic Nova global release with huge ultra-bright displays
Technology4 hours ago

RedMagic 10 Pro and RedMagic 10 Pro Plus to follow RedMagic Nova global release with huge ultra-bright displays

OnePlus 13 posts impressive sales numbers before anticipated global release
Technology4 hours ago

OnePlus 13 posts impressive sales numbers before anticipated global release

Ruud van Nistelrooy updates Leny Yoro injury after Manchester United defender is pictured in training
Sports8 hours ago

Ruud van Nistelrooy updates Leny Yoro injury after Manchester United defender is pictured in training

Cole Palmer injury update leaves him in doubt for Chelsea against Arsenal
Sports8 hours ago

Cole Palmer injury update leaves him in doubt for Chelsea against Arsenal

Police kill two suspected kidnappers in Delta State
News9 hours ago

Police kill two suspected kidnappers in Delta State

Atiku congratulates Trump on US election victory
News9 hours ago

Atiku congratulates Trump on US election victory

Chief of Army Staff, Lagbaja passed away at age 56
News9 hours ago

Chief of Army Staff, Lagbaja passed away at age 56

Vector reveals one thing he doesn't understand about Africans
Entertainment9 hours ago

Vector reveals one thing he doesn’t understand about Africans

People always tell me to smile more — CKay
Entertainment9 hours ago

People always tell me to smile more — CKay

Hermes Iyele announces the death of his mother
Entertainment9 hours ago

Hermes Iyele announces the death of his mother

General22 hours ago

Skylar Grey – Everything I Need [LYRICS]

General23 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General23 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General23 hours ago

[Music] African China – Amen

General23 hours ago

[Music] African China – Baba God

General23 hours ago

African China – Baba God [LYRICS]

General23 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General23 hours ago

Passenger – Let Her Go [LYRICS]

General23 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General23 hours ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music23 hours ago

[Music] Tatiana Manaois – Buzz Kill

General23 hours ago

Tatiana Manaois – Buzz Kill [LYRICS]

General24 hours ago

James Blunt – Goodbye My Lover [LYRICS]

General24 hours ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General24 hours ago

James Blunt – You’re Beautiful [LYRICS]

General24 hours ago

Justin Timberlake – Mirrors [LYRICS]

General24 hours ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General24 hours ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General24 hours ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General1 day ago

Sia – I’m Still Here [LYRICS]

General1 day ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General1 day ago

Shane McMahon – Here Comes The Money [LYRICS]

General1 day ago

Journey – Faithfully [LYRICS]

General1 day ago

[Music] Journey – Faithfully

General1 day ago

Eminem – Not Afraid [LYRICS]

General1 day ago

[Music] Journey – Don’t Stop Believin’

General1 day ago

Journey – Don’t Stop Believin’ [LYRICS]

General1 day ago

21 Savage – Bank Account [LYRICS]

General1 day ago

Demi Lovato – Sober [LYRICS]

Gnash (singer)
Music5 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music2 days ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music6 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music3 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music4 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General6 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

Powfu (singer)
Music5 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music5 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music4 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music5 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General23 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General2 days ago

[Music] John Legend – Love Me Now

Right Said Fred
Music5 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General1 day ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General1 day ago

[Music] P!nk – Try

General7 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music4 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music5 days ago

[Music] R. Kelly – World’s Greatest

General2 days ago

Magic! — Rude [LYRICS]

General1 day ago

[Music] Journey – Don’t Stop Believin’

General3 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General4 days ago

[Music] Tyga ft. Offset – Taste

General1 day ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General3 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Post Malone – Candy Paint

General6 days ago

[Music] R Kelly – When A Woman Loves

General1 day ago

[Music] African China – Western Union

General5 days ago

[Music] Luniz – “Got 5 On It” Feat. Michael Marshall (Tethered Mix from US)

General7 days ago

[Music] Shaggy – Church Heathen

General3 days ago

[Music] Lil Dicky ft. Chris Brown – Freaky Friday

Alec Benjamin (singer)
Music5 days ago

[Music] Alec Benjamin – Let Me Down Slowly

General6 days ago

[Music] Jessie J – ‘Bang Bang’ Feat. Ariana Grande & Nicki Minaj

Loren Allred
Music5 days ago

[Music] Loren Allred – Never Enough (From The Greatest Showman)

General2 days ago

[Music] Lil Durk – India Pt. II

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.