[Dailydave] "For the Glory of the State Machine"
Dave Aitel
dave.aitel at gmail.com
Wed Sep 25 13:42:41 UTC 2019
So for the past while I've been obsessed with HTTP Desync Attacks
<https://www.youtube.com/watch?v=-y82LadA7N4>. A lot of people call this
"http request smuggling" which is a dumb name in a few ways, most
specifically because it restricts the bug class (and hence your mindset)
down to the smallest possible point. To be fair, in my head I call them
Parser State Mismatch bugs.
The way I look at this bugclass is that no two parsers, no matter how well
written, can do the same thing to arbitrary evil input. When two parsers
operate on the same input and inevitably end up in different states, you
often have an exploitable situation. In other words, adding a web proxy or
"WAF" creates inevitable state mismatch bugs and this is going to be an
interesting and fruitful set of research for the next ten years.
What it reminds me of is this great talk from a bunch of unknowns that came
out recently:
https://www.youtube.com/watch?v=LE-2sIsUduE
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20190925/4bdfd3e7/attachment.html>
More information about the Dailydave
mailing list