Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.
GosecureWhat is your title? –
This presentation provides an overview of the latest research on HTTP Request Smuggling (HRS), an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. The attack occurs when, for the same stream, the proxy component sees one request while the web backend component sees two distinct requests.
The most common risks will be presented, along with a set of payload variations and a live attack demonstration.
Q&A and discussion for the cloud security block, hosted and moderated by Max Habra. Questions will be gathered from the audience during the three prior talks.