Leading up to Black Hat USA, hear from Black Hat Review Board Members, Speakers, Trainers and Partners about their contributions to information security and the upcoming Black Hat event.
This week, we chat with James Kettle, Director of Research at PortSwigger Web Security, presenting Web Cache Entanglement: Novel Pathways to Poisoning at Black Hat USA 2020 Briefings.
James, Welcome back to Black Hat USA! This year you're diving into cache implementation flaws, ensuring things get much, much "messier", resulting in some of the "riskiest", most "hard-to-find attack techniques" yet. What led you to continuing your work from 2018? How do you determine what's next or whether or not to continue researching — especially after a pretty momentous discovery like your 2018 research?
There's always a lot of luck and chance involved. I keep my eyes open to spot new opportunities. In this case, last year while researching http attacks, I discovered an information link on a major CDN. It looked promising, but I didn't have time to investigate it further because I was working on my HTTP desync research for Black Hat USA.
I looked back into it as soon as I was done with desync and saw that the mental model, I'd built for caching issues was way too simple. And where you've got complexity, you've got something!
Self-directed research is the only way research works. There's a massive list of things I would like to research, but I try and prioritize and use Black Hat submissions as a deadline for getting research done.
Do you always create tutorial style challenges and open source your tools and methodology after presenting? — Is that an important part of research for you?
I started off doing this with my web cache poisoning talk. Since then, my company created web security academy, so I have been making more challenges as part of that. The goal is to help people understand the issues. It's a lot easier when they have live system, they can try the techniques on. Just reading presentation doesn't help.
Also, I love seeing other people build on the research I have done and presented. That is one of the most satisfying parts of being a researcher.
The Firefox potential botnet discovery detailed in your previous web cache talk was an accidental find — Is that common in your research that you find some deeper gold mine? Without giving too much away…can we expect some sort of exciting disclosure this year?
There are major findings in this research that occurred by accident. I found another issue in a very similar manner and actually received a bounty from same software vendor for it. Honestly dedication and luck are the biggest part of the research process.
I saw your article about becoming a security researcher and thought it was really eloquent and digestible. How did you find your way into security research?
I found my way into research by starting out with bug bounty hunting. Competing with loads of other hackers to find vulnerabilities in a small number of targets. If you want to get paid, you need to find what others have missed. Where someone else looked but may have failed to find something. That's the most effective way to research.
Did you have any hesitations about submitting to Black Hat's CFP considering this year's event may have converted to virtual?
Submitting to Black Hat is a part of my job. I love presenting because it's a way of getting more help on research, spread to more eye balls, so regardless of the event being virtual or live, Black Hat is a great platform.
Are there things that will you miss about the on-site experience either as a presenter or as an attendee?
Yes, massively! I enjoy being at black hat in person. I will miss having a live audience and the vendor parties. The audience is what breathes life into the presentation. Now I have to try and have the same kind of energy presenting.
Do you have a favorite presentation you have given or discovery you have made?
My favorite presentation was last year, 2019 on http desync attacks. The technique worked on a 3rd of the internet. It wasn't quite as bad by the time I presented because I gave the vendors a heads up, but it was still widely successful, and I saw a stream of people using the technique on real systems which was pretty cool.
Watch some past talks:
- Black Hat USA 2019 – HTTP Desync Attacks: Smashing into the Cell Next Door
- Black Hat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
- Black Hat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
- Black Hat Europe 2016 - Backslash Powered Scanning: Hunting Unknown Vulnerability Classes
- Black Hat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
Has the pandemic impacted your work at all? I've spoken to some people who have time availability has changed or work roles and responsibilities.
The pandemic hasn't directly affected research, but Black Hat going virtual has changed the presentation deadline and put some time pressure on things.
James 'albinowax' Kettle is the Director of Research at PortSwigger Web Security, where he explores novel attack techniques, and designs and refines vulnerability detection techniques for Burp Suite's scanner. James has extensive experience inventing and sharing new web attacks, including HTTP desync attacks, server-side RCE via template injection, client-side RCE via malicious formulas in CSV exports, and abusing HTTP headers to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.