HTTP Request Smuggling in 2020 - New Variants, New Defenses and New Challenges

Explore the latest developments in HTTP Request Smuggling, a powerful attack technique that exploits inconsistencies in HTTP request interpretation. Delve into new variants, defenses, and challenges presented by security researcher Amit Klein at Black Hat. Learn about the history and evolution of this attack method, including its ability to bypass security solutions, poison caches, and hijack user requests. Discover innovative approaches to mitigating these threats, such as the Socket Abstraction Layer (SAL) and Request Smuggling Firewall (RSFW). Gain insights into design goals, function hooking, and implementation challenges on both Windows and Linux systems. Examine new research challenges, including unconventional uses of CR in header names and manipulations of Content-Length values. This comprehensive 43-minute presentation equips security professionals with essential knowledge to understand and defend against evolving HTTP Request Smuggling techniques in 2020 and beyond.

Intro
What is HTTP Request Smuggling?
Different interpretations of the TCP stream
A Short History
Is HTTP request Smuggling Still a Thing?
"Header SP/CR junk"
"Wait for it"
HTTP/1.2 to bypass CRS
Variant 3 (contd.)
A Plain Solution
CR Header
Overriding existing cache items
Flawed Approach #1
mod_security + CRS?
A different concept
A More Robust Approach
Design goals
Function Hooking
Socket Abstraction Layer (SAL)
SAL - What to Hook? (Windows)
SAL - What to Hook (Linux 64bit)
Challenges and Lessons Learned
Request Smuggling Firewall (RSFW)
New Research Challenges
CR in a header name is a hyphen
"Signed"Content-Length
Content-Length value with SP
Chunky Monkey Business