HF 2021 - Call for Papers

Request Smuggling Workshop
11-20, 15:00–17:00 (Canada/Eastern), Sponsors - Workshops
Language: English

Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx, play a crucial role in website performance, and they all have different HTTP protocol parser implementation. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.

We will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enables multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.

Throughout the session, simple exercises will be given to participants to reproduce the exploitation of these vulnerabilities. A case of HTTP1 header confusion as well as more recent variants with the HTTP2 protocol will be exploited. To participate in the workshop section, you will need to install Burp Suite, Docker and Python.

By the end of this workshop, security enthusiasts from any level will have solid foundations to detect request smuggling, a vulnerability that has greatly evolved in the past 15 years.


Request Smuggling has been trending in the past two years. It is new compared to other application vulnerabilities. This presentation introduces newcomers to the subject. The goal is to focus on the main attack vectors (credential hijacking, URL filtering bypass and persistent XSS) and their impact rather than showing tons of payload variations. The workshop will showcase real applications for participants to experiment. Something that can’t be found at the moment. PortSwigger Web Academy is a very nice introduction. However, the fact the infrastructure is faked hide the complexity of this type of exploitation.

Exercises (4)

-HTTP1 CL.TE
-HTTP2 Cleartext
-WebSocket
-HTTP2 header injection


Are you releasing a tool? – no Have this talk already be given? – no

Philippe is a security researcher at GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.