The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling nearcomplete compromise of numerous major websites. However, the threat has been confined to attackeraccessible systems with a reverse proxy frontend... until now.

In this session, I'll show you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing singleserver websites and internal networks. You'll learn how to combine crossdomain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques I'll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I'll share a battletested methodology combining browser features and custom opensource tooling. We'll also release free online labs to help hone your new skillset.

I'll also share the research journey, uncovering a strategy for blackbox analysis that solved several longstanding desync obstacles and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass clientside, serverside, and even MITM attacks; to wrap up, I'll demo breaking HTTPS on Apache.