{"id":12869,"date":"2023-07-17T23:51:28","date_gmt":"2023-07-17T23:51:28","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?post_type=session&#038;p=12869"},"modified":"2024-09-03T02:20:24","modified_gmt":"2024-09-03T02:20:24","slug":"leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/","title":{"rendered":"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution"},"content":{"rendered":"<div class=\"simple_format\">\n<p><strong><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/materials\/D2T1%20-%20Leveraging%20Request%20Smuggling%20For%20Authentication%20Bypass%20and%20Remote%20Code%20Execution%20-%20Adam%20Crosser.pdf\">PRESENTATION SLIDES<\/a><\/strong><\/p>\n<p style=\"text-align: justify;\">Offensive cybersecurity practitioners are familiar with the abbreviations XSS, CSRF, and SQLi, but how many people really recognize HRS (HTTP Request Smuggling)? Even though the original HRS paper came out nearly 20 years ago, we think request smuggling remains underappreciated in today\u2019s security world. In this presentation, we discuss three HTTP request smuggling vulnerabilities we identified in F5 BIG-IP and Qlik Sense Enterprise that lead to widespread unauthenticated remote code execution impacting roughly ten percent of the global Fortune 500 with instances of these applications exposed to the Internet. We have released three blog posts detailing the HTTP request smuggling vulnerabilities we identified on the issues we have dubbed ZeroQlik, DoubleQlik, and Refresh.<\/p>\n<p style=\"text-align: justify;\">HRS, which emerged in 2005, has recently been repopularized by PortSwigger\u2019s research. We will discuss today\u2019s application world and describe a few different architecture types that are particularly vulnerable to request smuggling. Existing posts on the topic provide theoretical examples, but they fail to progress past the contrived sample scenarios. In contrast, we will touch on these categories briefly to help explain what HRS actually is, but plan to do the bulk of our explaining once we move on to the real world scenarios. We will primarily focus on three critical-risk HRS vulnerabilities we recently responsibly disclosed: CVE-2023-41265, CVE-2023-48365, and CVE-2023-46747.<\/p>\n<p style=\"text-align: justify;\">After our review of the three critical risk HRS 0-days we discovered, we will present key takeaways for reviewing application architecture for HRS. In our experience, nearly every security web penetration tester knows where and how to look for SQLi and XSS. But when we first started evaluating applications we had only a limited idea of what HRS was and a vague concept of when to look for it. We want everyone watching to take away the main idea from our talk: just like when you see a login screen you might think to try \u2018or 1=1 to exploit SQLi, when you see two different parts of an application processing HTTP requests, each responsible for different parts of the security model, think \u201chttp request smuggling\u201d. We will conclude with thoughts on how to approach looking for request smuggling vulnerabilities and recommendations on fixing request smuggling.<\/p>\n<\/div>\n","protected":false},"template":"","class_list":["post-12869","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES Offensive cybersecurity practitioners are familiar with the abbreviations XSS, CSRF, and SQLi, but how many people really recognize HRS (HTTP Request Smuggling)? Even though the original HRS paper came out nearly 20 years ago, we think request smuggling remains underappreciated in today\u2019s security world. In this presentation, we discuss three HTTP request smuggling [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-03T02:20:24+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/\",\"name\":\"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\"},\"datePublished\":\"2023-07-17T23:51:28+00:00\",\"dateModified\":\"2024-09-03T02:20:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\",\"name\":\"HITBSecConf2024 - Bangkok\",\"description\":\"August 26 - 30 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/","og_locale":"en_US","og_type":"article","og_title":"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok","og_description":"PRESENTATION SLIDES Offensive cybersecurity practitioners are familiar with the abbreviations XSS, CSRF, and SQLi, but how many people really recognize HRS (HTTP Request Smuggling)? Even though the original HRS paper came out nearly 20 years ago, we think request smuggling remains underappreciated in today\u2019s security world. In this presentation, we discuss three HTTP request smuggling [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/","og_site_name":"HITBSecConf2024 - Bangkok","article_modified_time":"2024-09-03T02:20:24+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/","name":"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution - HITBSecConf2024 - Bangkok","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website"},"datePublished":"2023-07-17T23:51:28+00:00","dateModified":"2024-09-03T02:20:24+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/leveraging-request-smuggling-for-authentication-bypass-and-remote-code-execution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/"},{"@type":"ListItem","position":3,"name":"Leveraging Request Smuggling For Authentication Bypass and Remote Code Execution"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/","name":"HITBSecConf2024 - Bangkok","description":"August 26 - 30 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session\/12869"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/media?parent=12869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}