Completed
Cache poisoning via tunnelling
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
HTTP/2 - The Sequel is Always Worse
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Outline
- 3 Request Smuggling via HTTP/2 downgrades
- 4 H2.TE Desync: URL token hijack
- 5 H2.TE Desync: Header hijack
- 6 H2.X via Request Splitting - Resp Queue Poisoning
- 7 H2.TE via request line injection
- 8 Possible attacks
- 9 No connection reuse
- 10 Tunnelling confirmation
- 11 Tunnel-vision Problem: Front-end reads Scontent-length bytes from back-end
- 12 Leaking internal headers via tunnelling
- 13 Cache poisoning via tunnelling
- 14 Ambiguous HTTP/2 requests
- 15 URL prefix injection
- 16 Header name splitting
- 17 The tooling situation Existing tooling does not work
- 18 Defence
- 19 References & further reading
- 20 Takeaways