"For the Glory of the State Machine"

[Dave Aitel <dave.aitel () gmail com>]

So for the past while I've been obsessed with HTTP Desync Attacks
<https://www.youtube.com/watch?v=-y82LadA7N4>. A lot of people call this
"http request smuggling" which is a dumb name in a few ways, most
specifically because it restricts the bug class (and hence your mindset)
down to the smallest possible point. To be fair, in my head I call them
Parser State Mismatch bugs.

The way I look at this bugclass is that no two parsers, no matter how well
written, can do the same thing to arbitrary evil input. When two parsers
operate on the same input and inevitably end up in different states, you
often have an exploitable situation. In other words, adding a web proxy or
"WAF" creates inevitable state mismatch bugs and this is going to be an
interesting and fruitful set of research for the next ten years.

What it reminds me of is this great talk from a bunch of unknowns that came
out recently:
https://www.youtube.com/watch?v=LE-2sIsUduE

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave