Browser-Powered-Desync Attacks

We discussed this vulnerability as part of our weekly podcast on 20 September 2022

A very packed research post from James Kettle introducing two new forms of desync attacks. Client-side desync - This is a new term used to describe when a desync or disagree happens between the client (browser) and server. It is in opposition to the “traditional” desync attacks that depend on a front-end and back-end server disagreement. These happen what a server ignores the Content-Length value. This might happen if there is an early return in handling a request, like a front-end server rejecting or redirecting a response. Another case the author came across was some servers just not expecting a body at all and assuming all requests would be GET. So if an attacker triggers one of these requests that get handled without reading the body, the body will be treated as part of the next request that comes in from that client. Giving an attacker the ability to craft a potentially malicious prefix to any request, including control of headers. As the attack does not rely on malformed HTTP requests, they can be launched from the browser, only requiring a victim visit an attacker-controlled website (similar to CSRF). It can be exploited similarly to normal request smuggling, by crafting a prefix that causes sensitive user data to get stored somewhere the attacker can retrieve it. It also opens up normally unavailable attack surfaces for chaining like being able to craft a cross-site attack with a JSON Content-Type: header, or attacks that rely on modified Host: headers. Pause-based desync - This is a new way to create a desync where one end of the connection times-out but still gets reused.