DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets including tech giants, SaaS providers, and CDNs, with one unplanned collaboration yielding over $100,000 in bug bounties in two weeks. I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that dump server memory heartbleed-style. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me. You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1.