[arkadiyt]

Blackhat/Defcon videos aren't up yet but Orange Tsai gave the same talk at HITBGSEC and that video is up:

https://www.youtube.com/watch?v=D1S-G8rJrEk

He also has a blog post about it:

http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilitie...

The premise is that URL parsing is complex and libraries get it wrong. This problem is pervasive and leads to server side request forgery vulnerabilities, which Orange was able to escalate to remote code execution on Github.