#HITBCW2021 D2 - Response Smuggling: Pwning HTTP/1.1 Connections - Martin Doyhenard

Over the past few years, we have seen some novel presentations re-introducing the concept of HTTP request smuggling, to reliably exploit complex landscapes and systems. With advanced techniques, researchers were able to bypass restrictions and breach the security of critical web applications. But, is everything said on HTTP Desync exploitation, or is it just the tip of the iceberg?

This presentation will take a new approach, focusing on the response pipeline desynchronization, a rather unexplored attack vector in HTTP Smuggling.

First, I will introduce a Desync variant, which does not abuse discrepancies between HTTP parsers but instead relies on a vulnerability in the protocol itself! The issue was found and reported under Google’s Vulnerability Reward Program for a nice bounty!

Next, I’ll show how it is possible to inject multiple messages at the backend server, mixing the pipeline’s connection order, and hijacking users' sessions from login requests. This will also be used to increase the reliability of the attack, by flooding the response queue with malicious messages.

Finally, I’ll present a novel technique, known as Response Scripting, to create custom malicious outbound messages using static responses as the building blocks. This will be leveraged in a real DEMO to gain control over two of the largest ERP systems in the world.

===

Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web security and reverse engineering.

Over the past 3 years, Martin has reported critical vulnerabilities for SAP and Oracle, and presented his researches at different conferences, such as RSA, Troopers and EkoParty.