HTTP/3 On The Racetrack – Introducing Quickdraw

HTTP/3 is it a thing? Yes, no hallucinations involved ;) HTTP3 (the third major version of the Hypertext Transfer Protocol) is one of the new protocols in town. Does anyone use it? Well, more than 35% of all internet-facing websites do! (crazy right!?) In this session, we will share our journey into researching HTTP3 and its internals. During our research we discovered a lack of user-friendly tools for HTTP3 security testing, fuzzing, and particularly race conditions testing, which led us to develop our own open-source tool. HTTP3 over QUIC (originally developed by google) has taken security seriously, this is reflected in the RFC. One of HTTP3's most promising features is its ability to solve Head-of-Line (HOL) blocking, ensuring each request has its own stream (to minimize bottlenecks between requests). In the session we will cover our journey to overcome these limitations and "Make Fuzzing and Race Conditions Work on HTTP/3" leading to the development of our open-source tool QuicDraw. In the last part we will demonstrate using QuicDraw and exploiting a 1-day race-condition on a well-known identity provider hosted on a well-known cloud-provider (over HTTP/3 :)) Attendees will be armed with the theory and tools required for their own HTTP/3 research.