Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
Unknown
Black Hat USA 2024 · Day 1 · Briefing
This talk, presented by Orange, Principal Security Researcher at DEVCORE, delves into a pervasive class of vulnerabilities termed **confusion attacks** within the Apache HTTP Server ecosystem. The core premise is that Apache's extensive history, coupled with its highly flexible and often complex configuration options—especially when integrated with PHP—introduces **semantic ambiguity** that can be exploited by attackers. Orange highlights how seemingly innocuous or functionally identical configuration directives can harbor critical security flaws, leading to issues ranging from remote source code disclosure to authentication bypasses and novel CGI exploitation techniques.