James Kettle / albinowax research overview

Contact Blogs
:

Upcoming Presentations

2019-01-19: LevelUp 0x03 - Turbo Intruder: Abusing HTTP (mis)features to Accelerate Attacks

Automated web application attacks are terminally limited by the number of HTTP requests they can send. It's impossible to know how many hacks have gone off the rails because you didn't quite manage to bruteforce a password, missed a race condition, or failed to find a crucial folder.

In this session I'll introduce, demo and distribute Turbo Intruder - a research grade Burp extension built from scratch with speed in mind. Most tools struggle to reach 1,000 HTTPS requests per second (RPS), whereas Turbo Intruder uses a selection of custom HTTP stacks to exceed 30,000 RPS while minimising the chance of your router exploding. It's also designed to be fully extensible so you can easily launch multi-step attacks and filter responses.

As well as showing how to use the tool, I'll discuss the underlying HTTP abuse that enables it to go so fast, so you can attain similar speeds in any tools you happen to write. Finally, I'll cover some new research I'm currently pursuing on generating context-aware payloads and automatically identifying interesting responses.

Show/Hide past presentations Show/Hide past presentations

Past presentations

  • ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
  • BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
  • BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
  • PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
  • NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
  • AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
  • 44Con 2015 - Hunting Asynchronous Vulnerabilities
  • BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
  • OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
  • ...and BSides Manchester every year since it started

Inspiration: gareth, magic mac, lcamtuf, filedescriptor, agarri, fin1te, ezequiel pereira, detectify, homakov, irsdl, .mario, insertScript, sirdarckcat, kkotowicz, ush.it, webstersprodigy, kuza55, neal poole and many others.

Misc

whoami

I'm the Head of Research at PortSwigger Web Security, where I design and refine vulnerability detection techniques for Burp Suite's scanner, and research novel attack techniques.

Show/Hide full bio Show/Hide full bio

James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

You can contact me via @albinowax on Twitter, xawonibla@gmail.com or elttek.semaj@portswigger.net