Check out Intiriti – the sponsor of today’s video: https://www.intigriti.com/
? Subscribe to BBRE Premium: https://bbre.dev/premium
Subscribe to @intigriti on YouTube: @intigriti


✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw

This video is about a new hacking technique discovered by James Kettle, one of the best, if not the best web security researcher in the world. This vulnerability is called client-side desync or browser-powered desync and is a subclass of request smuggling vulnerabilities. The video shows the CL.0 variant and how many websites built on Akamai could be hacked with it.

? Get $100 in credits for Digital Ocean: https://bbre.dev/do

The article: https://portswigger.net/research/browser-powered-desync-attacks
James’ Twitter:https://twitter.com/albinowax

Timestamps:

00:00 Intro
00:36 Intigriti – the sponsor of today’s video
01:08 Desynchronising the browser and a vulnerable server
06:03 Confusing the browser by returning a different response
09:44 XSS using HEAD tunnelling

Add comment

Your email address will not be published. Required fields are marked *