About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

H2C Smuggling in the Wild- 432

Sean Yeoh - AssetnotePosted 4 Years Ago
  • H2C smuggling is a fairly new form of HTTP smuggling that allow the bypassing of reverse proxy access controls via tunneling. If a company relies on the reverse proxy for access controls, this is a major security concern.
  • The H2C attack relies on the fact that specific headers will be sent that allow for the smuggling to occur (not all do). However, the original author makes a little comment that "not all backends are compliant. Using the idea to test with non-compliant header variants, the headers may sneak past the reverse proxies to the backend server.
  • The author of this article had to make a substantial amount of alterations to the Go H2C libraries in order to run these non-compliant tests for both the client and server. This tool can be found here.
  • The main piece of non-compliance was to use the Connection: Upgrade variant, where the HTTP2-Settings of the Connection header is omitted. Because this is not an expected issue by the proxies, this could be used to smuggle a protocol upgrade request to the backend.
  • The author finds this bypass to work with Cloudflare and Azure with some other providers not allowing for disclosure at this time. This smuggling bypass technique worked fairly well!
  • Originally, I mentioned that the author not having any examples of exploitable servers made this theoretical and not very useful. However, on reddit the author commented that some servers vulnerable (such as traefik) but they were not pointed out in the article. Interesting!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed