Browser-Powered Desync Attacks: A New Frontier in HTTP Request | PT SWARM

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

by James Kettle

In this paper, researcher shows how to turn victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. Article describes how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques author compromises targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

Contents:
• HTTP handling anomalies
•• Connection state attacks
•• The surprise factor
•• Detecting connection-locked CL.TE
•• Browser-compatible CL.0
•• H2.0 on amazon.com
• Client-side desync
•• Methodology
•• Akamai stacked-HEAD
•• Cisco VPN client-side cache poisoning
•• Verisign fragmented chunk
•• Pulse Secure VPN
• Pause-based desync
•• Server-side
•• MITM-powered
• Conclusion
•• Further research
•• Defence
•• Summary

https://portswigger.net/research/browser-powered-desync-attacks

PT SWARM

🤷‍♂️ 2.98K
Technologies

Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...

Join
▲ Vote (1)

Browser-Powered Desync Attacks: A New Frontier in HTTP Request | PT SWARM

Login