HTTP Request Smuggling (HRS) is an attack that exploits the HTTP processing discrepancies between two servers deployed in a proxy- origin configuration, allowing attackers to smuggle hidden requests through the proxy. While this idea is not new, HRS is soaring in popularity due to recently revealed novel exploitation techniques and real-life abuse scenarios. In this talk, I step back a little from the highly-specific exploits hogging the spotlight, and present the first work that systematically explores HRS within a scientific framework. We design an experiment infrastructure powered by a novel grammar-based differential fuzzer, test 10 popular server/proxy/CDN technologies in combinations, identify pairs that result in processing discrepancies, and discover exploits that lead to HRS. Our experiment reveals previously unknown ways to manipulate HTTP requests for exploitation, and for the first time documents the server pairs prone to HRS.
Engin Kirda is a professor of computer science at Northeastern University. Before that, he held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna, where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and the United States. Engin’s research has focused on malware analysis (e.g., Anubis, Exposure, and Fire) and detection, web application security, and practical aspects of socialnetworking security. He was a co-founder of Lastline, Inc., a Silicon-Valley based company that specialized in the detection and prevention of advanced targeted malware that was acquired by VMWare in 2020. Engin was the program chair of the International Symposium on Recent Advances in Intrusion Detection in 2009, the program chair of the European Workshop on Systems Security in 2010 and 2011, the program chair of the well-known USENIX Workshop on Large Scale Exploits and Emergent Threats in 2012, the program chair of the security flagship conference Network and Distributed System Security Symposium in 2015 and USENIX Security in 2017.