BlueHat IL 2026 - Maor Abutbul - Why-So-QUIC!? Racing and Fuzzing HTTP/3 WebApps using QuicDraw-UI
HTTP/3, the latest version of the HTTP protocol, is one of the new protocols in town. Does anyone use it? Well, more than 35% of all internet-facing websites do! HTTP/3 over QUIC, originally developed by Google, has taken security seriously, which is reflected in its RFC. In this session, we will share HTTP/3's main features and dive into its internals, then share our research journey, including some of our attack scenarios. One of HTTP/3's most promising features is its ability to solve Head-of-Line (HOL) blocking, ensuring each request has its own stream (to minimize bottlenecks between requests), leading to requests cannot block each other on the same stream. Does it mean that race conditions are impossible in HTTP/3? In the session, we will cover our journey to overcome these limitations and "Make Fuzzing and Race Conditions Work in HTTP/3". During our research, we found that the level of tooling for HTTP/3 security testing, fuzzing, and particularly race conditions testing, is lacking; therefore, we developed our own open-source tool, QuicDraw. Finally, we will demonstrate using QuicDrawUI and exploiting a 1-day race condition on a well-known identity provider hosted on a well-known cloud provider (over HTTP/3 :)) Attendees will be armed with the theory and tools required for their own HTTP/3 and QUIC research.

BlueHat IL 2026 - Oran Avraham, Ori Lahav - Exploiting Zero-Days via PostgreSQL Internals

Meet the Former CIA Agent Who Wants to Abolish the CIA

Software architecture, human judgment, and AI's limits with Grady Booch

BlueHat IL 2026 - Gal Bar Nahum - How HTTP/2 Lets Dead Streams Keep Servers Working

BlueHat IL 2026 - Michal Kamensky, Amir Gombo - Hybrid Cloud: A Novel Vulnerability Playground

BlueHat IL 2026 - Alon Livne, Matan Mansheroff - Two Tales of hacking 90s MS-DOS Software

BSidesCharm 2026 - CloudShell Abuse: a CTF, API, and persistent access to CPU/network/storage

BlueHat IL 2026 - Nati Tal, Shaked Chen - When AI Browsers Talk Too Much

Zig 2026: No-AI Policy, $670K Foundation, Left GitHub & Why Zig Isn’t 1.0 - Andrew Kelley Explains

The Uncomfortable Truth About AI “Reasoning” | World Science Festival

BlueHat IL 2026 - David Driker, Yuval Sadowsky - VoidLink Internals

When Stupid Cops Mess With FBI Agent

BlueHat IL 2026 - Ezra Caltum, Anders Fogh - Life and death of a CPU bug

The World's Most Important Machine

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!

Something is jamming GPS over Europe. Here's what we found

BlueHat IL 2026 - Dan Lahav - Keynote - The Trajectory of Frontier AI Security

BlueHat IL 2026 - Netanel Ben Simon, Alon Leviev - Attacking and Securing Windows Recovery

MIT Just Revealed the AI Bubble's Fatal Flaw

