Explore the frontier of HTTP/2 research in this Black Hat conference talk, uncovering implementation flaws and RFC imperfections that enable HTTP/2-exclusive desync attacks. Delve into case studies targeting high-profile websites powered by various servers, including Amazon's Application Load Balancer, WAFs, CDNs, and bespoke stacks by big tech. Learn about request smuggling via HTTP/2 downgrades, H2.TE Desync attacks, H2.X via Request Splitting, and ambiguous HTTP/2 requests. Discover potential attacks, including URL token hijacking, header hijacking, and cache poisoning via tunnelling. Examine the tooling situation and defense strategies against these vulnerabilities. Gain valuable insights into the security implications of HTTP/2 implementation and walk away with key takeaways to enhance your understanding of this protocol's potential risks.
Overview
Syllabus
Intro
Outline
Request Smuggling via HTTP/2 downgrades
H2.TE Desync: URL token hijack
H2.TE Desync: Header hijack
H2.X via Request Splitting - Resp Queue Poisoning
H2.TE via request line injection
Possible attacks
No connection reuse
Tunnelling confirmation
Tunnel-vision Problem: Front-end reads Scontent-length bytes from back-end
Leaking internal headers via tunnelling
Cache poisoning via tunnelling
Ambiguous HTTP/2 requests
URL prefix injection
Header name splitting
The tooling situation Existing tooling does not work
Defence
References & further reading
Takeaways
Taught by
Black Hat
Related Courses
-
HTTP/2 - The Sequel is Always Worse
-
HTTP Desync Attacks - Request Smuggling Reborn
-
Practical Attacks Using HTTP Request Smuggling
-
Browser-Powered Desync Attacks - A New Frontier in HTTP Request Smuggling
-
Practical HTTP Header Smuggling - Sneaking Past Reverse Proxies to Attack AWS and Beyond
-
HTTP Request Smuggling in 2020 - New Variants, New Defenses and New Challenges
