Decent write up here: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
-mdb On 10/24/19, 12:43 PM, "Dailydave on behalf of Adam Shostack" <[email protected] on behalf of [email protected]> wrote: Hi Dave, This is a thought-provoking problem, thanks for sharing. What resources do you find work best for explaining it? Are there blog posts, presentations, etc? How does the argument that it doesn't matter go? What needs to be addressed? Adam On Thu, Oct 24, 2019 at 12:32:54PM -0400, Dave Aitel wrote: > So one of the hardest jobs as a penetration testing firm is when a new bugclass > starts getting popular, for whatever reason, you have to find a way to explain > to your clients that not only do they have to adjust their defenses, but the > defenses they put in place for the last bugclass may, in fact, be > counterproductive. > > This is the story of HTTP Desync, which I find hilarious. We're still > struggling to explain it really, and right now it's hard to show what the > impact is to clients. You mark it as High, they mark it as Low, and without a > lot more work you're not going to have a ton of ability to argue the point. > > Likewise, fixing it requires...a ton of effort. I'm not even sure what to > suggest. No doubt your client is just going to ignore it until someone big gets > owned and then they're going to be annoyed at you for not pushing your point > harder. > > But regardless, we find it on EVERY SINGLE ENGAGEMENT now, and I'm enjoying the > ramp up everyone is going through. :) > > -dave > > _______________________________________________ > Dailydave mailing list > [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.immunityinc.com_mailman_listinfo_dailydave&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=I2n35rLu2vTcwimAWUL0T3Fyh-RWuVz_OlsqduoE4Qs&e= -- Adam Shostack President, Shostack & Associates https://urldefense.proofpoint.com/v2/url?u=https-3A__associates.shostack.org&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=1hfTj9clNxaLEqJerJ4u0No72gv-3hRErvZpM4eB7_8&e= • +1 917 391 2168 Join my very quiet announcement list: https://urldefense.proofpoint.com/v2/url?u=https-3A__adam.shostack.org_newthing&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=etuGPalHm4MVpd94NPvwqvog_bqli5tO_qGaWuZKp1s&e= _______________________________________________ Dailydave mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.immunityinc.com_mailman_listinfo_dailydave&d=DwIGaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=681btJtOeQITDADVSEkVPhBW86LdswBPnD26UKi50TA&m=UjjhzXDVi1vCq-FlXEa8RRoHM6losAOcqXN7VQA75Jk&s=I2n35rLu2vTcwimAWUL0T3Fyh-RWuVz_OlsqduoE4Qs&e= _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
