HTTP Request Smuggling Attack Explained // Untangling the HTTP Desync Attack

In this video, Aron Molnar untangles HTTP request smuggling aka HTTP desync attacks. The basic concept is first explained. The vulnerability is then exploited in a practical example of Portswigger's web security academy. Detect http smuggling attacks using Offensity: https://www.offensity.com/en/signup/#... Portswigger Web Security Academy Lab ("Exploiting HTTP request smuggling to capture other users' requests"): https://portswigger.net/web-security/... Subscribe to my newsletter at https://securityguide.me Timestamps: 0:00 Intro 0:15 http smuggling is like ordering a pizza 3:28 Create an http request 5:53 Exploitation: Intercept the original request 8:01 Exploitation: Using the request smuggler 12:32 Exploitation: Smuggle attack using the turbo intruder 14:36 Exploitation: Smuggling a malicious request 18:21 Detect http smuggling using Offensity 18:48 Outro

Join Today
HTTP Request Smuggling Explained (with James Kettle)
▶︎

HTTP Request Smuggling Explained (with James Kettle)

albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference
▶︎

albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference

Portswigger Web Academy - HTTP Request Smuggling - Explanation & Lab Walkthrough
▶︎

Portswigger Web Academy - HTTP Request Smuggling - Explanation & Lab Walkthrough

DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle
▶︎

DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle

The Most Overlooked Bug in Web Apps: HTTP Request Smuggling (Deep Dive)
▶︎

The Most Overlooked Bug in Web Apps: HTTP Request Smuggling (Deep Dive)

DEF CON 30 - James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
▶︎

DEF CON 30 - James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Every Network Protocol Explained in 18 Minutes
▶︎

Every Network Protocol Explained in 18 Minutes

Practical Attacks Using HTTP Request Smuggling by @defparam #NahamCon2020
▶︎

Practical Attacks Using HTTP Request Smuggling by @defparam #NahamCon2020

Cross Site Request Forgery - Computerphile
▶︎

Cross Site Request Forgery - Computerphile

HTTP Desync Attacks: Request Smuggling Reborn
▶︎

HTTP Desync Attacks: Request Smuggling Reborn

HTTP Request Smuggling - False Positives
▶︎

HTTP Request Smuggling - False Positives

Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study
▶︎

Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study

Practical Web Cache Poisoning: Redefining 'Unexploitable'
▶︎

Practical Web Cache Poisoning: Redefining 'Unexploitable'

HTTP Request Smuggling
▶︎

HTTP Request Smuggling

Log4J Vulnerability (Log4Shell) Explained - for Java developers
▶︎

Log4J Vulnerability (Log4Shell) Explained - for Java developers

HTTP Request Smuggling Explained: Part 1
▶︎

HTTP Request Smuggling Explained: Part 1

He Outsmarted Every Tech Company With One Simple Tool
▶︎

He Outsmarted Every Tech Company With One Simple Tool

I Built a Virus for this Cocky Scammer
▶︎

I Built a Virus for this Cocky Scammer

HTTP Request Smuggling Attack Explained
▶︎

HTTP Request Smuggling Attack Explained

Missing HTTP Security Headers - Bug Bounty Tips
▶︎

Missing HTTP Security Headers - Bug Bounty Tips