Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more



Splitting the email atom: exploiting parsers to bypass access controls

Researcher: Gareth Heyes


Black Hat USA 2024, 07 Aug 2024, 13:30
DEF CON 32, 11 Aug 2024, 10:00

Websites often parse users' email addresses to identify their organisation. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going...

In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defences leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.

Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.

I'll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset.

Gotta Cache Em All: Bending the Rules of Web Cache Exploitation

Researcher: Martin Doyhenard


Black Hat USA 2024, 07 Aug 2024
DEF CON 32, 09 Aug 2024

In recent years, web cache attacks have become a popular way to steal sensitive data, deface websites, and deliver exploits. We've also seen parser inconsistencies causing critical vulnerabilities like SSRF and HTTP Request Smuggling. This raises the question: what happens if we target web caches' URL-parsers?

In this session, I'll introduce two powerful new techniques that exploit RFC ambiguities to bypass the limitations of web cache deception and poisoning attacks and inflict some serious damage.

First, I'll introduce Static Path Deception, a novel technique to completely compromise the confidentiality of an application. I'll illustrate this with a case study showing how such a breach can be replicated in environments like Nginx behind Cloudflare and Apache behind CloudFront, using just their default configurations.

Next, I'll present Cache Key Confusion, and show how to exploit URL parsing inconsistencies in major platforms, including Microsoft Azure Cloud. I'll then show how to achieve arbitrary cache poisoning and full denial of service in OpenAI and countless platforms.

Finally, I'll reveal how to supercharge these vulnerabilities with a live demo that blends Cache Key Confusion with a "non-exploitable" open redirect. By modifying the response of a static javascript file, I'll show how to execute arbitrary JS code cross-domain.

Attendees will depart armed with a set of innovative techniques for uncovering concealed bugs, along with a definitive methodology to find and exploit these and other URL or HTTP discrepancies. To facilitate this, I'll provide an open-source tool to detect all discussed vulnerabilities, plus a lab to level-up your cache exploitation skills!

Listen to the Whispers: Web Timing Attacks that Actually Work

Researcher: James Kettle


Black Hat USA 2024, 07 Aug 2024, 10:20
DEF CON 32, 09 Aug 2024, 11:30

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them.

In this session, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface.

This is not a theoretical threat; every technique will be illustrated with multiple real-world case studies on diverse targets. Unprecedented advances have made these attacks both accurate and efficient; in the space of ten seconds, you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required. In other words, I'm going to share timing attacks you can actually use.

To help, I'll equip you with a suite of battle-tested open-source tools enabling both hands-free automated exploitation, and custom attack scripting. I'll also share a little CTF to help you hone your new skillset.

Want to take things further? I'll help you transform your own attack ideas from theory to reality, by sharing a methodology refined through testing countless concepts on thousands of websites. We've neglected this omnipresent and incredibly powerful side-channel for too long.


Smashing the State Machine: The True Potential of Web Race Conditions

Researcher: James Kettle

Conferences: Nullcon Goa 2023, 23 Sep 2023 | DEF CON 31, 12 Aug 2023 | Black Hat USA 2023, 09 Aug 2023

Server Side Prototype Pollution: Blackbox detection without the DoS

Researcher: Gareth Heyes

Conferences: Nullcon Berlin 2023, 09 Mar 2023 | OWASP 2023 Global AppSec Dublin, 15 Feb 2023

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Researcher: James Kettle

Conferences: DEF CON 30, 12 Aug 2022 | Black Hat USA 2022, 10 Aug 2022

Hunting evasive vulnerabilities: finding flaws that others miss

Researcher: James Kettle

Conferences: Nullcon Berlin, 08 Apr 2022

HTTP/2: The Sequel is Always Worse

Researcher: James Kettle

Conferences: Black Hat Europe, 10 Nov 2021 | DEF CON 29, 06 Aug 2021 | Black Hat USA, 05 Aug 2021

Black Hat Europe Locknote: Conclusions and Key Takeaways

Researcher: James Kettle

Conferences: Black Hat Europe 2020, 10 Dec 2020

Portable Data exFiltration: XSS for PDFs

Researcher: Gareth Heyes

Conferences: Black Hat Europe 2020, 10 Dec 2020

Web Cache Entanglement: Novel Pathways to Poisoning

Researcher: James Kettle

Conferences: Black Hat USA 2020, 05 Aug 2020

XSS Magic Tricks

Researcher: Gareth Heyes

Conferences: Global AppSec Allstars, 26 Sep 2019

HTTP Desync Attacks: Smashing into the Cell Next Door

Researcher: James Kettle

Conferences: Black Hat USA 2019, 07 Aug 2019

Turbo Intruder: Embracing the billion-request attack

Researcher: James Kettle

Conferences: LevelUp 0x03, 25 Jan 2019

Practical Web Cache Poisoning: Redefining 'Unexploitable'

Researcher: James Kettle

Conferences: Black Hat USA 2018, 09 Aug 2018

Exploiting Unknown Browsers and Objects

Researcher: Gareth Heyes

Conferences: AppSec Europe, 06 Jul 2018

DOM based AngularJS Sandbox Escapes

Researcher: Gareth Heyes

Conferences: BSides Manchester, 17 Nov 2017

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface

Researcher: James Kettle

Conferences: Black Hat USA 2017, 27 Jul 2017

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Researcher: James Kettle

Conferences: OWASP AppSec EU 2017, 12 May 2017

Backslash Powered Scanner: Automating Human Intuition

Researcher: James Kettle

Conferences: Black Hat Europe 2016, 05 Dec 2016

JSON Hijacking for the Modern Web

Researcher: Gareth Heyes

Conferences: OWASP London , 24 Nov 2016

Hunting Asynchronous Vulnerabilities

Researcher: James Kettle

Conferences: 44Con 2015, 15 Sep 2015

Server-Side Template Injection

Researcher: James Kettle

Conferences: Black Hat USA 2015, 05 Aug 2015