HF 2021 - Call for Papers

Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx, play a crucial role in website performance, and they all have different HTTP protocol parser implementation. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.

We will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enables multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.

Throughout the session, simple exercises will be given to participants to reproduce the exploitation of these vulnerabilities. A case of HTTP1 header confusion as well as more recent variants with the HTTP2 protocol will be exploited. To participate in the workshop section, you will need to install Burp Suite, Docker and Python.

By the end of this workshop, security enthusiasts from any level will have solid foundations to detect request smuggling, a vulnerability that has greatly evolved in the past 15 years.