While HTTP request smuggling already threatens website security, researchers have devised a new strategy that intensifies the threat. Dubbed browser-powered desync attacks, these attacks allow an adversary to compromise websites’ TLS and exploit servers.
Browser-Powered Desync Attack Demonstrated At Black Hat USA
Security researcher James Kettle elaborated on his latest study about the “browser-powered desync attack” in a recent white paper presented at the Black Hat USA 2022.
As explained, a browser-powered desync attack is a new attack tactic revolutionizing the conventional HTTP request smuggling. Exploiting these attacks potentially allows an adversary to target websites, install backdoors, poison browser connection pools, and introduce desync worms.
While the conventional desync attacks involve poisoning the connection between front-end and back-end servers, browser-powered desync attack aims at the front-end server to browser link. That means an attacker can use such attacks to target websites with server-side request smuggling by poisoning the target victim’s connection with the website’s server.
HTTP Anomalies Triggering The Attack
Specifically, a browser-powered desync attack involves the exploitation of four different vulnerabilities in HTTP handling.
First, they observed how to reverse proxies only validate the first request sent over a connection by identifying the Host header, ignoring the second request. Thus, an attacker could send two requests to the target destination to gain access to the host.
Secondly, they observed the second issue (related to the first one), where the front-end uses the Host header of the first request to determine the destination backend and then routes all subsequent requests from the same client to the same destination. Explaining the impact of this issue in their white paper, the researchers stated,
This is not a vulnerability itself, but it enables an attacker to hit any back-end with an arbitrary Host header, so it can be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.
Then, the researcher noticed a possibility to detect connection-locked request smuggling, and the fourth issue was the browser-compatible desync that also allowed the researcher to compromise Amazon users’ accounts. Besides Amazon, the researcher also demonstrated compromising numerous prominent services such as Cisco Web VPN, Akamai, and Pulse Secure VPN.
The researchers have elaborated on the technicalities behind these attacks in their research paper, also suggesting the prospective for future research.