Why So QUIC! Racing and Fuzzing HTTP/3 with QuicDraw UI
Maor Abutbul
Nullcon Goa 2026 · Day 1
Maor Abutbul's Nullcon talk, "Why So QUIC! Racing and Fuzzing HTTP/3 with QuicDraw UI," delves into the often-overlooked security implications of **HTTP/3**, the latest iteration of the Hypertext Transfer Protocol. Despite its widespread adoption—powering over 36% of internet-facing websites, including major services like Google Search and YouTube—HTTP/3 remains an under-researched area within the security community, particularly concerning practical attack vectors and tooling. This presentation addresses that gap by exploring **race conditions** in the context of HTTP/3 and introducing **QuickDraw**, an open-source tool designed for fuzzing and racing HTTP/3 web applications.
AI review
Abutbul brings a genuinely novel attack primitive to a protocol that the security community has largely ignored from an offensive angle. The Quick Fin Sync concept is clean, technically grounded, and the live demo against a real CloudFront/Keycloak stack with 99/120 concurrent hits is the kind of result that makes the technique undeniable.