Using HTTP request smuggling to hijack users' sessions


In this blog (linked above) I walkthrough one of the most complex exploits I have created to-date resulting in application-wide session hijacking via HTTP Request Smuggling. The exploit abused response queue poisoning to desynchronize the application’s response queue, and a small reflection gadget on the login page to eventually allow us to capture other users’ requests including (of course) their session cookies.

This post is licensed under CC BY 4.0 by the author.