Philippe Arteau
Philippe is a security researcher at GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.
h3xstream
Which country are you from? –Canada
Session
Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx, play a crucial role in website performance, and they all have different HTTP protocol parser implementation. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.
We will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enables multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.
Throughout the session, simple exercises will be given to participants to reproduce the exploitation of these vulnerabilities. A case of HTTP1 header confusion as well as more recent variants with the HTTP2 protocol will be exploited. To participate in the workshop section, you will need to install Burp Suite, Docker and Python.
By the end of this workshop, security enthusiasts from any level will have solid foundations to detect request smuggling, a vulnerability that has greatly evolved in the past 15 years.