HTTP/2: The Sequel is Always Worse - James Kettle (albinowax)

preview_player
Показать описание

HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, James presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, James will take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.
  1. PortSwigger
  2. james kettle
  3. black hat usa
  4. black hat 2021
  5. burp suite
  6. portswigger
Рекомендации по теме
HTTP/2: The Sequel 0:44:16

HTTP/2: The Sequel is Always Worse - James Kettle (albinowax)

HTTP/2: The Sequel 0:38:14

HTTP/2: The Sequel is Always Worse

HTTP/2: The Sequel 0:35:15

HTTP/2: The Sequel is Always Worse

DEF CON 29 0:40:04

DEF CON 29 - James Kettle - HTTP2: The Sequel is Always Worse

🌻 HTTP/2 Request 0:55:44

🌻 HTTP/2 Request Smuggling - TryHackMe Walk Through - 🌻

HTTP/2 request smuggling 0:07:28

HTTP/2 request smuggling (explained using beer)

Что нового в 0:12:38

Что нового в протоколе HTTP/2? Может ли ваш NGFW видеть в нем файлы? Зачем нужен ALPN?...

'Truman Show' Sequel: 0:01:09

'Truman Show' Sequel: Jim Carrey Has a Very Philosophical Idea

WOW! HTTP/2 Clear 0:18:45

WOW! HTTP/2 Clear Text (h2c) Smuggling is a SERIOUS flaw and very easy to Execute, Let us discuss!

Working with HTTP/2 0:06:06

Working with HTTP/2 in Burp Suite

Tarantino asks Tom 0:00:34

Tarantino asks Tom Cruise why he did a Top Gun sequel 🛩️ #topgunmaverick #filmmaking

Split Fiction | 0:03:12

Split Fiction | Official Gameplay Reveal Trailer

Barack Obama on 0:00:55

Barack Obama on Donald Trump: 'The Sequel Is Usually Worse'

Borderlands The Pre 0:02:02

Borderlands The Pre Sequel : Handsome Jack Trailer

Hogwarts Legacy is 0:00:21

Hogwarts Legacy is GETTING a Sequel and HBO Series 🔥

Movies That Were 0:03:16

Movies That Were So Bad They Had To Cancel The Sequel

Labyrinth: The Movie 0:15:19

Labyrinth: The Movie Sequel You Missed

HACKING HTTP/2: h2c 0:04:55

HACKING HTTP/2: h2c SMUGGLING

Better performances on 0:48:25

Better performances on the server side with HTTP/2 - Thomas Segismont @tsegismont

Smile 2 Right 0:00:09

Smile 2 Right Out of Theater Review and Reaction - A Sequel That Will Make You Smile And Scream!

Анализ HTTP/2 в 0:12:38

Анализ HTTP/2 в NGFW. Денис Батранков

DC's Huge Sequel 0:11:53

DC's Huge Sequel Problem

2010: The Year 0:11:22

2010: The Year We Make Contact - The Best Sequel You Never Saw

Gatorade Pod! (The 0:00:31

Gatorade Pod! (The Sequel) @tleemclaughlin #shorts

Комментарии
Автор

Considering the impact of these the bounties are kind of ridiculously low. This guy just owned half of all internet services.

Автор

Thanks James for sharing your research; forever grateful.

stupidmonkeyx
Автор

This is huge and you've spent >1year researching. I think you deserve more rewards.

bokunochannel
Автор

My mother walked on me watching this and I immediately switched to porn because it is easier to explain

haythamkt
Автор

Great presentation! I learned a lot. Thank you.

oreli
Автор

Will we see HTTP/3 attack next defcon event

alan.m.rebeira
Автор

Amazing presentation! Thanks for sharing. However, I wonder what is the impact of the bottle behind you? Can you ellaborate ?

chipoleto
Автор

Outstanding research. I use nginx and in many stacks I'm doing http2 downgrading, maybe I should http2 until nodeJS. Is nginx vulnerable to the attacks you showed ?

fabcotechnologies
Автор

thanks for this great content,
i've only could exploit request smuggling to myself everywhere i tried :(

hdphoenix