HTTP Desync Attack Explained With Paper

LiveUnderflow · Advanced ·📄 Research Papers Explained ·4y ago

Key Takeaways

The video explains the HTTP Desync Attack, a security vulnerability that exploits the mismatch in request separation between load balancers and internal backend services, using research papers from Portswigger.net as reference. The attack is demonstrated through the principles of request separation, content encoding, and parser differential, highlighting the security issues that arise from different implementations of complex protocols.

Full Transcript

i um i go here up in the middle that's good that's a good spot here okay welcome to the internet so this is a very typical server setup that you have nowadays um uh online so imagine your web browser and you go on a website oftentimes you connect to one server so this load balancer or proxy is a server that you are connecting here so you have to imagine that a request is coming here from from this side and this load balancer is then proxying those requests to an internal backend service so this is the actual web server and this is just a proxy just a thing to manage requests so this thing is for example responsible maybe for rate limiting or it will maybe there are many there are a lot of different backend internal servers like hundreds maybe of internal servers handling the actual application logic and um you have one big load balancer and this load balancer doesn't do any real big computation all it does is takes your request and forwards it to a back-end service or one of the different servers and so forth so this is a very typical setup even in a one server setup it's often the case that you have a proxy in front of it and a back end after it especially when you have when you use things like amazon or like when you host your website on amazon or with google cloud or whatever then you have the google load balancer or the amazon load balancer also automatically kind of and maybe in front of it you don't even maybe realize it and then you have your website behind it very typical setup you have a request coming in to the load balancer and the load balancer now sends it over to the back end servers networks servers are connected over network with sockets for example and a socket is just a stream of of bytes right it doesn't have a socket you don't really need to know about how the networking with tcp or whatever really works underneath and you don't really need to understand http either um all we can what it how sockets work is um you you write data in and you can read that data again it's just a stream of data you just write zeros and ones in there in on the load balancer is writing that on one socket and the back end is then reading the data coming in now when you think of an a request coming in this request has a start and an end and you need to define what the start and end is so in this paper example let's say requests are separated by a line okay each request is separated by a line so now let's think about this let's say we send a request here we have here a line and we say we want to request no i don't have an example the the note number one okay we request the node number one so the load balancer is writing i want the node number one and to indicate the end of this request is drawing a line here and now comes the back end the back end now reads this data and it reads node 1 and sees the line and will now give you the content back so it will respond here with content a b c d it returns to you the node so it will write the date the abcd here and indicates with the line the end is done so you as a user you send your request to the load balancer and you indicate it i want node one that was forward to the back end and backend now returned with abcd indicating with a line the request is done and returning that now to you now we read the response abcd and now we come to http dsync attack kind of like the the principle idea of this attack class and remember what the rule i told you was the rule i told you was that requests are separated by lines okay a line indicates the separation of requests so let me create here a request coming in from the outside okay you sent an http request and i draw you this request really quick here and you tell me now what happens okay so i'm sending in now this request to the load balancer okay i'm sending this to the load balancer i [ __ ] this up so this is coming in i'm sending this is oh wait i [ __ ] it up i [ __ ] it up i [ __ ] it up okay here's the line missing okay so this is the request i sent coming in to the load balancer okay this the load balancer understands lines the load balancer understands that the line is the end of a request but this load balancer is implemented in a shitty way because it only understands black lines okay the load balancer sees this whole thing this data and sees a black line this is my request here's the black line so what does the load balancer do it forwards now this packet onto the socket and sends the data over to the back end now the back end is implemented differently it also understands lines but it also understands red lines now the back end uh thinks because it's just a socket like it doesn't understand it it sees now oh there are two requests waiting i'm seeing two lines so the back end will now send the response back node1 again abcd and will return that data now to me right like the the load balancer takes now this data and sends it back to my browser okay but now it also received the second request now it wants the admin information and the back end sees that second request because there's another line so this is another request and it will send back um a secret let's make this uh yeah xxx that's the secret okay it will send back this but i received already my response i have received abcd so the load balancer has a response waiting here that was not yet handled now imagine a normal user is coming in a normal user maybe wants to read note 2. a normal user sends now a request to the load balancer and says i want node 2 the load balancer sees the line so it knows this is one request and puts it onto the socket please give me no two the back end sees oh yeah there's a new note it has a line this is one request and it will create a response with ccc okay this is the node two it will respond with this data the load balancer now knows okay i need to read one response now from the receiving from the socket here and return that to the user but we haven't returned this response yet so what we will now return is this response is now returned to the user and now we have a dc and this is the desync state right um there's a there was a second response still pending on the on this socket here the response from the back end that the load balancer hasn't given a user yet and when the load balancer received another request send it to the back end um it was reading a response but it was reading this pending response still sitting on that socket and that's basically how dsync attack works this misunderstanding of what it means that requests are separated by a line the load balancer was dumb and only understood black lines so it forward this whole thing as one request but the back end understood also red lines so the back end thought oh the load balancer is sending me two requests so i have to send two responses but the load balancer thought it's only one request and only returned one response and so then when the next user came it returned this other pending response does that make sense why the back end handles lines if the load balancer does it in the front already uh that's just how it's implemented um there's just socket connect the load balancer is really dumb and the load balancer takes http requests and just forwards those http requests and so in when we now speak about the actual http dsync attack and we think about http requests the basic http uh dsync attack works because you have different content encoding so you have the content length that tells you how large is the whole request but you can also have chunked encoding where you now send the data in chunks and so this is basically this difference where the load balancer might think i'm sending um is looking maybe at the content length and so it's sending the whole http packet but the back end sees the the chunked encoding and interprets it as two chunks or something like this you know is a line so this is just abstract these lines do not really exist this is just abstract to explain that requests need to be separated somehow or like these requests need to be separated in this example they are separated by a line and do you think happens because these two systems disagree what a line is the load balancer only understands black lines while the back end understands red and black lines and this misunderstanding in parsing data causes this this is you can even abstract this further and we call we can call this a parcel differential there's a parser for requests here and a parser for requests here and they have a slightly different behavior and that is many times exploitable a lot of security issues happen because you have parts that try to understand the same data but do it slightly differently and this misunderstanding between those two parts can lead to security issues and that's why generally when we say things like we don't want complex protocols and we need very good references it's for security reasons because these these programmers that implement these things maybe one of them did it wrong maybe when i said we need to separate requests at lines maybe it meant i meant every line depend the color doesn't matter but maybe also adjustment black lines so it needs to be defined and when uh um these these standards of how a protocol is has to be implemented are not very very strict and leave room for interpretation you might end up with two different implementations that can be played against each other does that make sense this can also be done with responses not only requests yeah of course at the fundament it is two systems understand data differently yeah so this was my abstract explanation of how a desync attack works [Music] you

Original Description

HTTP/1 Desync: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn HTTP/2 Desync: https://portswigger.net/research/http2 → Twitch Subscription: https://www.twitch.tv/products/liveoverflow → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 📄 Info. ]=- Main Channel: https://youtube.com/LiveOverflowCTF Twitch: https://twitch.tv/LiveOverflow -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- #liveoverflow
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 19 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

The video explains the HTTP Desync Attack, a security vulnerability that exploits the mismatch in request separation between load balancers and internal backend services. The attack is demonstrated through the principles of request separation, content encoding, and parser differential, highlighting the security issues that arise from different implementations of complex protocols. By understanding this attack, viewers can improve their knowledge of security vulnerabilities in load balancing and

Key Takeaways
  1. Understand the principle of request separation in HTTP
  2. Analyze the load balancer's implementation of request separation
  3. Identify the potential for parser differential in load balancer and backend implementations
  4. Apply knowledge of content encoding to security issues
  5. Recognize the impact of complex protocols on security vulnerabilities
💡 The HTTP Desync Attack highlights the importance of considering the potential for parser differential in load balancer and backend implementations, and the need for careful consideration of content encoding in security protocols.

Related AI Lessons

I Spent Weeks Looking for a Research Gap Before I Realized I Was Searching the Wrong Way
Learn how to effectively find research gaps by changing your approach, a crucial skill for AI researchers and academics
Medium · AI
ICMI 2026 Reviews [D]
Learn how to interpret ICMI 2026 reviews and improve your paper's acceptance chances
Reddit r/MachineLearning
Workshop submission for main conference paper under review [D]
Learn how to navigate submitting a paper to a non-archival workshop before the final decision of a main conference like ECCV
Reddit r/MachineLearning
Kept context-switching between arxiv, OpenReview, GitHub, and HuggingFace for every paper, so I built this. Chrome extension + website with everything inline, plus citation graph + SPECTER2 neighbors. 3M papers, free, feedback welcome [P]
Streamline your research with a new Chrome extension and website that integrates 3M papers from arxiv, OpenReview, GitHub, and HuggingFace, including citation graphs and SPECTER2 neighbors, and provide feedback to improve it
Reddit r/MachineLearning
Up next
Beyond Big Vendors: ERP Systems Explained #shorts
Digital Transformation with Eric Kimberling
Watch →