Overview
Syllabus
Intro
Outline
Request Smuggling via HTTP/2 downgrades
H2.TE Desync: URL token hijack
H2.TE Desync: Header hijack
H2.X via Request Splitting - Resp Queue Poisoning
H2.TE via request line injection
Possible attacks
No connection reuse
Tunnelling confirmation
Tunnel-vision Problem: Front-end reads Scontent-length bytes from back-end
Leaking internal headers via tunnelling
Cache poisoning via tunnelling
Ambiguous HTTP/2 requests
URL prefix injection
Header name splitting
The tooling situation Existing tooling does not work
Defence
References & further reading
Takeaways
Taught by
Black Hat