2022-08-11 12:02:40
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
by James Kettle
In this paper, researcher shows how to turn victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. Article describes how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques author compromises targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.
Contents:
• HTTP handling anomalies
•• Connection state attacks
•• The surprise factor
•• Detecting connection-locked CL.TE
•• Browser-compatible CL.0
•• H2.0 on amazon.com
• Client-side desync
•• Methodology
•• Akamai stacked-HEAD
•• Cisco VPN client-side cache poisoning
•• Verisign fragmented chunk
•• Pulse Secure VPN
• Pause-based desync
•• Server-side
•• MITM-powered
• Conclusion
•• Further research
•• Defence
•• Summary
https://portswigger.net/research/browser-powered-desync-attacks
2.0K viewsedited 09:02