![]() Once implemented, I used this to scan my pipeline of websites with bug-bounty programs. ![]() To find these, I implemented automated detection in HTTP Request Smuggler, using an adapted version of the timeout-based H1-desync detection strategy. We've now covered enough theory to start exploring some real vulnerabilities. This leads to two main types of vulnerability: H2.TE and H2.CL. However, the back-end receiving a downgraded request doesn't have access to this data, and must use the CL or TE header. Depending on which way around this desynchronization happens, the vulnerability is classified as CL.TE or TE.CL.įront-ends speaking HTTP/2 almost always use HTTP/2's built-in message length. This protocol translation enables a range of attacks, including HTTP request smuggling:Ĭlassic request smuggling vulnerabilities mostly occur because the front-end and back-end disagree about whether to derive a request's length from its Content-Length (CL), or Transfer-Encoding (TE) header. HTTP/2 downgrading is when a front-end server speaks HTTP/2 with clients, but rewrites requests into HTTP/1.1 before forwarding them on to the back-end server. HTTP/2 Desync Attacks Request Smuggling via HTTP/2 Downgrades This means there's little room for ambiguity about the length of a message, and might leave you wondering how desync attacks using HTTP/2 are possible. In HTTP/2, those headers are redundant because each message body is composed of data frames which have a built-in length field. In HTTP/1, the length of each message body is indicated via the Content-Length or Transfer-Encoding header. For example, on the wire, pseudo-header names are actually mapped to a single byte - they don't really contain a colon. This paper represents HTTP/2 requests using a human-readable abstraction rather than the actual bytes. HTTP/2 is a binary protocol like TCP, so parsing is based on predefined offsets and much less prone to ambiguity. The potential for ambiguity in this approach is what makes desync attacks possible. For example, a server needs to look for a colon in order to know when a header name ends. HTTP/1 is a text-based protocol, so requests are parsed using string operations. :status - The response status code - not used in requests ![]() :scheme - The request scheme, typically 'http' or 'https' The five pseudo-headers are easy to recognize as they're represented using a colon at the start of the name: :method - The request method HTTP/2 replaces the request line with a series of pseudo-headers. In HTTP/1, the first line of the request contains the request method and path. HTTP/1.1: POST /login HTTP/1.1 \r\nĪssuming you're already familiar with HTTP/1, there are only three new concepts that you need to understand. Here's an equivalent request represented in the two protocols. I started this research by coding an HTTP/2 client from scratch, but I've concluded that for the attacks described in this paper, we can safely ignore the details of many lower-level features like frames and streams.Īlthough HTTP/2 is complex, it's designed to transmit the same information as HTTP/1.1. Fortunately, there's less to learn than you might think. ![]() The first step to exploiting HTTP/2 is learning the protocol fundamentals. This paper is focused entirely on the technical details - if you'd like extra insight into the research journey, please check out the presentation: It is also available as a printable whitepaper. This research paper accompanies a presentation at Black Hat USA and DEF CON, and a recording will be embedded on this page shortly. Finally, I'll share multiple new exploit-primitives introduced by HTTP/2, exposing fresh server-layer and application-layer attack surface. These achieve critical impact by hijacking clients, poisoning caches, and stealing credentials to net multiple max-bounties.Īfter that, I'll unveil novel techniques and tooling to crack open desync-powered request tunnelling - a widespread but overlooked request smuggling variant that is typically mistaken for a false positive. I'll start by showing how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. ![]() In this paper, I'll introduce multiple new classes of HTTP/2-exclusive threats caused by both implementation flaws and RFC imperfections. HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |