[Dailydave] Amusement

Matthew Bateman mbateman at adaptiveinsights.com
Thu Oct 24 21:27:55 UTC 2019 

Decent write up here: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

-mdb

On 10/24/19, 12:43 PM, "Dailydave on behalf of Adam Shostack" <dailydave-bounces at lists.immunityinc.com on behalf of adam at shostack.org> wrote:

    Hi Dave,
    
    This is a thought-provoking problem, thanks for sharing.
    
    What resources do you find work best for explaining it?  Are there
    blog posts, presentations, etc?  How does the argument that it doesn't
    matter go?  What needs to be addressed?
    
    
    Adam
    
    On Thu, Oct 24, 2019 at 12:32:54PM -0400, Dave Aitel wrote:
    > So one of the hardest jobs as a penetration testing firm is when a new bugclass
    > starts getting popular, for whatever reason, you have to find a way to explain
    > to your clients that not only do they have to adjust their defenses, but the
    > defenses they put in place for the last bugclass may, in fact, be
    > counterproductive.
    > 
    > This is the story of HTTP Desync, which I find hilarious. We're still
    > struggling to explain it really, and right now it's hard to show what the
    > impact is to clients. You mark it as High, they mark it as Low, and without a
    > lot more work you're not going to have a ton of ability to argue the point. 
    > 
    > Likewise, fixing it requires...a ton of effort. I'm not even sure what to
    > suggest. No doubt your client is just going to ignore it until someone big gets
    > owned and then they're going to be annoyed at you for not pushing your point
    > harder.
    > 
    > But regardless, we find it on EVERY SINGLE ENGAGEMENT now, and I'm enjoying the
    > ramp up everyone is going through. :)
    > 
    > -dave
    > 
    
    > _______________________________________________
    > Dailydave mailing list
    > Dailydave at lists.immunityinc.com
    > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.immunityinc.com_mailman_listinfo_dailydave&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=I2n35rLu2vTcwimAWUL0T3Fyh-RWuVz_OlsqduoE4Qs&e= 
    
    
    -- 
    Adam Shostack
    President, Shostack & Associates
    https://urldefense.proofpoint.com/v2/url?u=https-3A__associates.shostack.org&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=1hfTj9clNxaLEqJerJ4u0No72gv-3hRErvZpM4eB7_8&e=  • +1 917 391 2168
    
    Join my very quiet announcement list: https://urldefense.proofpoint.com/v2/url?u=https-3A__adam.shostack.org_newthing&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=etuGPalHm4MVpd94NPvwqvog_bqli5tO_qGaWuZKp1s&e= 
    
    _______________________________________________
    Dailydave mailing list
    Dailydave at lists.immunityinc.com
    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.immunityinc.com_mailman_listinfo_dailydave&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=I2n35rLu2vTcwimAWUL0T3Fyh-RWuVz_OlsqduoE4Qs&e=

More information about the Dailydave mailing list