Practical HTTP Header Smuggling - Sneaking Past Reverse Proxies to Attack AWS and Beyond

Explore the intricacies of HTTP header smuggling in this 27-minute Black Hat conference talk. Delve into how web application vulnerabilities arise from flawed implementations of proxy servers handling HTTP headers. Learn about recent developments in header smuggling techniques and their potential for triggering exploitable behaviors. Discover practical examples of mutation techniques, including identity, space before colon, and header name junk. Follow a methodology for detecting and exploiting header smuggling vulnerabilities, including generating back-end errors and comparing responses. Examine real-world case studies, such as an AWS Cognito partial rate limit bypass and cache poisoning with API Gateway. Gain insights into detecting CL.CL request smuggling and understand potential defenses against these attacks. Equip yourself with valuable knowledge to enhance web application security and protect against sophisticated header smuggling exploits.

Intro
Outline
Web Application Architecture
What is Header Smuggling?
Mutation examples: Identity
Mutation examples: Space before colon
Mutation examples: Header name junk
Methodology Aims
Methodology Example
Generate a Back-End Error
Base Request Comparison A valid value in the mutated header produces the same resuk
Error Comparison
Guess Headers
AWS Cognito Partial Rate Limit Bypass
Cache Poisoning With API Gateway
What happens when we introduce a cache?
Detecting CL.CL Request Smuggling
The Bug
Generate the First Error
Defences
References