James 'albinowax' Kettle research overview

Contact Blogs
:

Upcoming Presentations

HTTP Desync Attacks: Smashing into the Cell Next Door

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k $70k in bug bounties.

Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page.

This is an attack the web is thoroughly unprepared for. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left it optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I'll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends.

I'll help you tackle this legacy by sharing a refined methodology and open source tooling for black-box detection, assessment and exploitation with minimal risk of collateral damage. These will be developed from core concepts, ensuring you leave equipped to devise your own desync techniques and tailor (or thwart) attacks against your target of choice.



Show/Hide past presentations Show/Hide past presentations

Past presentations

  • DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
  • BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
  • ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
  • BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
  • BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
  • PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
  • NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
  • AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
  • 44Con 2015 - Hunting Asynchronous Vulnerabilities
  • BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
  • OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
  • ...and BSides Manchester every year since it started

Inspiration: gareth, magic mac, lcamtuf, filedescriptor, agarri, fin1te, ezequiel pereira, detectify, homakov, irsdl, .mario, insertScript, sirdarckcat, kkotowicz, ush.it, webstersprodigy, kuza55, neal poole and many others.

Misc

whoami

I'm the Director of Research at PortSwigger Web Security, where I design and refine vulnerability detection techniques for Burp Suite's scanner, and research novel web attack techniques.

Show/Hide full bio Show/Hide full bio

James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

You can contact me via @albinowax on Twitter, xawonibla@gmail.com or elttek.semaj@portswigger.net