HTTP and De-Sync Attacks

BSidesDFW 2021 Track 2 Session 7 - 06 Nov 2021 (volume is a little on the low side) HTTP and De-Sync Attacks Whether you are a network defender, web application pentester, or total noob, this presentation will teach you something. From the history of the protocol to pipelining and HTTP Request Smuggling, we'll see how HTTP works and how it can be broken. In addition to a deep dive into HTTP De-Synchronization attacks popularized by James Kettle (@albinowax) in 2019, you will see demonstrations of two attacks. Attend this presentation and walk away with a deeper understanding of the HTTP protocol, how web requests are processed, and novel HTTP attack techniques. Cary is an offensive security engineer working for a Fortune 500 institution. He is a combat veteran and graduate of the United States Military Academy at West Point. He utilized his degree leading teams within the Army Engineer Corps and Cyber Command. His certifications include CISSP, OSCE, OSCP, and OSWE.