Check out Intiriti – the sponsor of today’s video:
? Subscribe to BBRE Premium:
Subscribe to @intigriti on YouTube: @intigriti

✉️ Sign up for the mailing list:
? Follow me on twitter:

This video is about a new hacking technique discovered by James Kettle, one of the best, if not the best web security researcher in the world. This vulnerability is called client-side desync or browser-powered desync and is a subclass of request smuggling vulnerabilities. The video shows the CL.0 variant and how many websites built on Akamai could be hacked with it.

? Get $100 in credits for Digital Ocean:

The article:
James’ Twitter:


00:00 Intro
00:36 Intigriti – the sponsor of today’s video
01:08 Desynchronising the browser and a vulnerable server
06:03 Confusing the browser by returning a different response
09:44 XSS using HEAD tunnelling

Add comment

Your email address will not be published. Required fields are marked *