HTTP/3 now powers more than 35% of internet-facing websites; yet the security tooling to test it barely exists. No major interception proxy supports it, and the assumption that QUIC's per-stream multiplexing makes race conditions impossible turns out to be wrong. This session walks through the research journey that challenged that assumption and produced QuicDraw, an open-source tool purpose-built for fuzzing and race condition testing over HTTP/3.

This session, led by Maor Abutbul of CyberArk Labs, will cover:

• How HTTP/3's QUIC transport eliminates TCP head-of-line blocking;
• How the QUIC-FIN sync technique exploits multiplexing to synchronize bulk request release and trigger server-side race conditions;
• How QuicDraw and QuicDraw-UI work under the hood, including support for fuzzing, parallel request dispatch and copy-cURL compatibility with existing browser and proxy workflows.