HTTP/2: The Sequel is Always Worse

Conference:  BlackHat USA 2021



The presentation discusses the use of HTTP/2 for request smuggling and request tunneling, as well as new exploit primitives and defense strategies.
  • HTTP/2 has four key differences from HTTP/1, including the use of pseudo headers and a binary protocol
  • HTTP/2 can be used for request smuggling and request tunneling, which can lead to critical vulnerabilities
  • New exploit primitives have been discovered for HTTP/2
  • Defense strategies include avoiding HTTP/2 downgrading and strict validation of headers
The presenter struggled to exploit Bitbucket, but eventually discovered a new type of desynchronization attack and was awarded a bounty by Atlassian. This led to the discovery of new techniques for HTTP/2 exploitation.


HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections. I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques.After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.Finally, I'll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface.I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.