HTTP Request Smuggling is an attack technique invented in 2005, that exploits different interpretations of a stream of non-standard HTTP requests among various HTTP devices between the client (attacker) and the server (including the server itself). It can be used to smuggle requests across WAFs and security solutions, poison HTTP caches, inject responses to users and hijack user requests.
In the first part of my talk, I present new HTTP Request Smuggling attack variants that work against present-day web servers and HTTP proxy servers. I also present an attack which circumvents the HTTP Request Smuggling protection in a free, open source WAF.
In the second part of my talk, I describe my C++ "Request Smuggling Firewall" class library that can be injected to any user-space process (web server or proxy server) to provide robust socket-level protection against HTTP Request Smuggling.
I conclude with some anomalies I found in various web servers and proxy servers, showing there is a lot of potential for additional research in this area.
Amit Klein is a world-renowned information security expert, with 29 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration, and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was Chief Scientist for Cyota (acquired by RSA) for 2 years, and prior to that, Director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at Black Hat USA, DEF CON, Usenix, NDSS, InfoCom, DSN, HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG, and AusCERT.
Jesse Munos is Technical Marketing Manager for Extrahop, where he provides competitive analysis and technical content to his marketing focused peers. Jesse started his career in 2014 as an escalations engineer with Cisco Systems where he focused on EDR and Malware Sandboxing technologies and API integrations. During that time, he also presented at Cisco Live providing deep dive technical breakdowns and executive level briefings on Ciscos security portfolio. He focuses on pushing best of breed technology solutions that meet current customer needs while guiding product development to embrace the broader ecosystem integrations. On his own time, he is an avid fiction reader with a penchant for military science fiction and fantasy, which melds well with his taste for scotch and wheat beer. If you catch him on the street feel free to bribe him with good conversation and hearty libation.