Researcher: James Kettle
For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with.
Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. These exploits will be demonstrated across multiple high-profile websites, and a certain popular authentication framework.
These techniques unveil so much fresh attack-surface, it can be hard to know where to focus your testing. To help, I'll share a polished methodology for efficiently pursuing leads, automating complex attacks, and quickly ruling out dead ends. You'll learn to recognize high-risk patterns and eke out subtle tell-tale clues to scent blood long before sacrificing anything to the RNG gods.
To defeat jitter and make these attacks reproducible, I've taken lore amassed over years of research into HTTP Desync Attacks and applied it to develop precision tooling. You'll learn how to adapt your attacks to different HTTP versions and target architectures, abusing protocol-level design decisions and obscure implementation quirks in popular servers. This includes a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release a full complement of free online labs to the Web Security Academy, so you can try out your new skillset immediately.
Researcher: Gareth Heyes
Conferences: Nullcon Berlin 2023, 09 Mar 2023 | OWASP 2023 Global AppSec Dublin, 15 Feb 2023
Researcher: James Kettle
Conferences: DEF CON 30, 12 Aug 2022 | Black Hat USA 2022, 10 Aug 2022
Researcher: James Kettle
Conferences: Nullcon Berlin, 08 Apr 2022
Researcher: James Kettle
Conferences: Black Hat Europe, 10 Nov 2021 | DEF CON 29, 06 Aug 2021 | Black Hat USA, 05 Aug 2021
Researcher: James Kettle
Conferences: Black Hat Europe 2020, 10 Dec 2020
Researcher: Gareth Heyes
Conferences: Black Hat Europe 2020, 10 Dec 2020
Researcher: James Kettle
Conferences: Black Hat USA 2020, 05 Aug 2020
Researcher: Gareth Heyes
Conferences: Global AppSec Allstars, 26 Sep 2019
Researcher: James Kettle
Conferences: Black Hat USA 2019, 07 Aug 2019
Researcher: James Kettle
Conferences: LevelUp 0x03, 25 Jan 2019
Researcher: James Kettle
Conferences: Black Hat USA 2018, 09 Aug 2018
Researcher: Gareth Heyes
Conferences: AppSec Europe, 06 Jul 2018
Researcher: Gareth Heyes
Conferences: BSides Manchester, 17 Nov 2017
Researcher: James Kettle
Conferences: Black Hat USA 2017, 27 Jul 2017
Researcher: James Kettle
Conferences: OWASP AppSec EU 2017, 12 May 2017
Researcher: James Kettle
Conferences: Black Hat Europe 2016, 05 Dec 2016
Researcher: Gareth Heyes
Conferences: OWASP London , 24 Nov 2016
Researcher: James Kettle
Conferences: 44Con 2015, 15 Sep 2015
Researcher: James Kettle
Conferences: Black Hat USA 2015, 05 Aug 2015