Talks

Upcoming

HTTP/2: The Sequel is Always Worse

Researcher: James Kettle

Conferences

DEF CON 29, 06 Aug 2021
Black Hat USA, 05 Aug 2021, 13:30 UTC

HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.

I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques.

After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.

Finally, I'll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface.

I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.

Previous

Black Hat Europe Locknote: Conclusions and Key Takeaways

Researcher: James Kettle

Conferences: Black Hat Europe 2020, 10 Dec 2020

Portable Data exFiltration: XSS for PDFs

Researcher: Gareth Heyes

Conferences: Black Hat Europe 2020, 10 Dec 2020

Web Cache Entanglement: Novel Pathways to Poisoning

Researcher: James Kettle

Conferences: Black Hat USA 2020, 05 Aug 2020

XSS Magic Tricks

Researcher: Gareth Heyes

Conferences: Global AppSec Allstars, 26 Sep 2019

HTTP Desync Attacks: Smashing into the Cell Next Door

Researcher: James Kettle

Conferences: Black Hat USA 2019, 07 Aug 2019

Turbo Intruder: Embracing the billion-request attack

Researcher: James Kettle

Conferences: LevelUp 0x03, 25 Jan 2019

Practical Web Cache Poisoning: Redefining 'Unexploitable'

Researcher: James Kettle

Conferences: Black Hat USA 2018, 09 Aug 2018

Exploiting Unknown Browsers and Objects

Researcher: Gareth Heyes

Conferences: AppSec Europe, 06 Jul 2018

DOM based AngularJS Sandbox Escapes

Researcher: Gareth Heyes

Conferences: BSides Manchester, 17 Nov 2017

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface

Researcher: James Kettle

Conferences: Black Hat USA 2017, 27 Jul 2017

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Researcher: James Kettle

Conferences: OWASP AppSec EU 2017, 12 May 2017

Backslash Powered Scanner: Automating Human Intuition

Researcher: James Kettle

Conferences: Black Hat Europe 2016, 05 Dec 2016

JSON Hijacking for the Modern Web

Researcher: Gareth Heyes

Conferences: OWASP London , 24 Nov 2016

Hunting Asynchronous Vulnerabilities

Researcher: James Kettle

Conferences: 44Con 2015, 15 Sep 2015

Server-Side Template Injection

Researcher: James Kettle

Conferences: Black Hat USA 2015, 05 Aug 2015