Blackhat 2025 Wrap up

Hello ! Jordan_Zebor​ is your editor this time for the F5 SIRT This Week in Security, covering Blackhat 2025. The Black Hat 2025 security conference proved once again why it’s the global epicenter for unveiling cutting-edge cybersecurity research and innovative attack methodologies. Here are a few of this year’s highlights.

Unicode as a Double-Edged Sword: Exploiting Normalization Pitfalls

Unicode underpins the Internet, but as researchers revealed in Lost in Translation: Exploiting Unicode Normalization, it also presents an alarmingly rich attack surface. This talk, notably the first-ever father-daughter presentation at Black Hat, demonstrated how flaws in Unicode normalization processes can bypass security mechanisms, enabling attackers to execute several web application attacks. During the session, the team detailed how techniques like visual confusables, overlong encodings, truncations, and improper case mappings can undermine common defenses, such as web application firewalls (WAFs) and backend validation. Attacks leveraging these flaws were showcased using fuzzing tools like Shazzer and Recollapse, as well as contributions to the Burp Suite extension ActiveScan ++, which help pinpoint how Unicode quirks can create security blind spots. The slides can be found here.

Reckoning with the Limits of Machine Intelligence

In the session Cybersecurity, AI, and Our Brains: A Fireside Chat with Gary Marcus, the renowned cognitive scientist and AI expert delivered a much-needed critique of the growing hype surrounding generative AI systems. Marcus dissected the risks and limitations of relying too heavily on tools like ChatGPT, warning against a phenomenon he referred to as "ChatGPT psychosis," where users overestimate the decision-making capabilities and reliability of these systems.  Marcus also emphasized the potential of neuro-symbolic AI, which was a new term for me. If I'm correct in understanding this, neuro-symbolic AI is a hybrid approach combining neural networks with symbolic reasoning, to address the abstraction and reasoning challenges current systems cannot handle. The audience was urged to treat AI as a tool, not an oracle, and deploy it with a full understanding of its limitations.

HTTP/1.1 Must Die! The Desync Endgame

HTTP request smuggling, a decades-old attack method, is still alive and kicking—thanks to lingering weaknesses in HTTP/1.1 implementations, as the researcher revealed in HTTP/1.1 Must Die! The Desync Endgame. He demonstrated how desync attacks continue to be used to exploit weak request/response isolation and server behavioral quirks with Expect request headers. The session wasn’t just about exposing vulnerabilities—it also introduced updates to the popular HTTP Request Smuggler Burp Extension. This makes it easier for security teams to identify and explore multiple desync risks within their own environments. The talk title says it all, but the researcher did reinforce the urgent need to transition to HTTP/2, which due to different request semantics will help prevent these types of attacks. Read more about the research here.

A brief note on DEF CON

DEF CON, held alongside Black Hat, shifts the focus to core hacking and hands-on exploration. In an era dominated by AI and cutting-edge tech, I chose to spend my time in the Tamper Evidence Village, diving into the fundamentals of physical security. This is an often-overlooked yet critical area in the modern threat landscape. Along the way, I also caught a few technical talks, reinforcing the reminder that both the simplest physical vulnerabilities and sophisticated exploits can have massive impacts.

That's it for this week. Hope you enjoyed the content!