New Video from @_JohnHammond: Discussing HTTP/1.1 Vulnerabilities with James Kettle

In this video, John Hammond interviews James Kettle, Research Director at Portswiger, to discuss his recent findings on security vulnerabilities related to the HTTP/1.1 protocol. James Kettle presented his research at the Black Hat and Defcon conferences, where he demonstrated the significant impact of "request smuggling" attacks on systems using HTTP/1.1.

Kettle explains that the widely used HTTP/1.1 protocol has critical flaws that allow attackers to manipulate requests between front-end and back-end servers. This manipulation, known as "request smuggling," can lead to catastrophic consequences, such as user session hijacking, injection of malicious JavaScript, and compromise of sensitive web pages. Kettle illustrates these vulnerabilities with concrete examples, such as the attack he conducted on PayPal, where he was able to inject malicious JavaScript into the login page, stealing users' passwords.

"Request smuggling" exploits the poor handling of request isolation in HTTP/1.1. By sending specially crafted requests, an attacker can create confusion between front-end and back-end servers, leading to unpredictable and dangerous behaviors. Kettle demonstrates how these attacks can be used to poison caches, redirect users to malicious sites, or even steal sensitive information.

To illustrate these concepts, Kettle uses a tool he developed called HTTP Request Smuggler, which is available as open-source. This tool scans websites to detect "request smuggling" vulnerabilities. Kettle shows how the tool can identify discrepancies in request handling between front-end and back-end servers and how these discrepancies can be exploited to cause desynchronizations (desync attacks).

Kettle also explains that current defenses against "request smuggling" are often ineffective and can be bypassed with subtle techniques, such as adding spaces or using specific headers. He demonstrates how these techniques can be used to cause desynchronizations and manipulate server responses.

The practical implications of these findings are vast. Kettle reveals that his techniques have compromised major content delivery networks (CDNs) like Akamai, Cloudflare, and Fastly, meaning millions of websites are potentially vulnerable. He emphasizes that the only durable solution is to migrate to HTTP/2 or HTTP/3 for connections between front-end and back-end servers, as these protocols offer better request isolation.

In conclusion, Kettle calls for increased awareness of these vulnerabilities and concrete actions to address them. He encourages security researchers to use his tools and labs to explore these flaws and contribute to improving web system security.

To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=n3Bw8CASnHE