"New HTTP Request Smuggling Attacks Target Web Browsers"
James Kettle, a security researcher and director of PortSwigger, who previously demonstrated how attackers can exploit flaws in the way in which websites handle HTTP requests, warned that the same issues can be used in browser-based attacks against users to smuggle in malicious HTTP requests. Kettle's new research focuses on how threat actors can use the same improper HTTP request handling issues to attack website users, steal credentials, install back doors, and otherwise compromise their systems. He discovered HTTP handling flaws that enabled client-side desync attacks on sites using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52 and earlier. The main distinction between server-side and client-side desync attacks is that the former requires attacker-controlled systems with a reverse proxy front-end and at least partially malformed requests. According to Kettle, a browser-powered attack occurs within the victim's web browser and uses legitimate requests. Kettle demonstrated a proof-of-concept in which he was able to store information such as authentication tokens of random Amazon website users in his shopping list as an example of what an attacker could do. Kettle discovered that he could have persuaded each infected Amazon customer to relaunch the attack on others. This article continues to discuss Kettle's research on new HTTP request smuggling attacks.
Dark Reading reports "New HTTP Request Smuggling Attacks Target Web Browsers"