Intro to HTTP and De-Sync Attacks
2021-06-12, 15:00–15:45, Track 2

Whether you are a network defender, pentester, or total noob, this presentation will teach you something about how HTTP works and how it can be broken. First, we will discuss basic HTTP concepts and some lesser-known features of the protocol. Then, we will explain and demonstrate HTTP De-Sync attacks popularized by James Kettle in 2019. Attend this presentation and walk away with a deeper understanding of the HTTP protocol, how web requests are processed, and novel HTTP attack techniques.

First, some core HTTP concepts will be introduced including a brief history of how the protocol has transformed since 1990. Next, some lesser-known “features” of HTTP will be explained such as chunked encoding and HTTP pipelining. Last, we will discuss HTTP Request Smuggling and De-synchronization attack techniques popularized by James Kettle (@albinowax) in 2019. In doing so, it helps to trace “HTTP Request Smuggling” back to its roots in a 2005 white paper published by Watchfire. We will also demonstrate two separate attacks, showing how a HTTP De-synchronization attack could be used to bypass access controls (such as WAF) or even hijack user sessions.

Cary Hooper is an offensive security engineer working for a Fortune 500 institution. Cary is a combat veteran and graduate of the United States Military Academy at West Point. He lead technical and non-technical teams within the Army Engineer Corps and Cyber Command. Cary’s certifications include CISSP, OSCE, OSCP, and OSWE.