HTTP/2: The Sequel is Always Worse

Conference:  Defcon 29



HTTP Desync Attacks and Web Cache Poisoning
  • HTTP Desync Attacks can be used to exploit blind request tunneling vulnerabilities
  • Internal headers can be exploited by injecting new lines and headers to cause desynchronization
  • Web Cache Poisoning can be achieved by mixing and matching response headers and bodies
  • Netlify CDN had a request header injection vulnerability that allowed for persistent control over every page on every site using the CDN
  • Atlassian's Jira had a vulnerability that allowed for multiple responses to be received by sending multiple new lines in headers
The speaker discovered a way to exploit a blind request tunneling vulnerability by changing the method from post to head, which resulted in multiple responses from the back end being received. They also found that injecting new lines and headers can cause desynchronization and allow for the exploitation of internal headers. The speaker was able to use web cache poisoning to take full control over every page on Bitbucket's website and received a bounty for reporting the issue. They also discovered a request header injection vulnerability in Netlify CDN and Atlassian's Jira, which allowed for persistent control and multiple responses to be received, respectively.


HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC oversights. I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive. Finally, I'll drop multiple exploit-primitives that resurrect a largely-forgotten class of vulnerability, and use HTTP/2 to expose fresh application-layer attack surface. I'll leave you with an open-source scanner, a custom, open-source HTTP/2 stack, and free interactive labs so you can hone your new skills on live systems. REFERENCES: The HTTP/2 RFC is essential reading: https://tools.ietf.org/html/rfc7540 This research is built on my previous work on this topic: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn This presentation by defparam has good explanations of response queue poisoning and self-desync attacks: https://www.youtube.com/watch?v=3tpnuzFLU8g I had a partial research collision with Emil Lerner. His work provides an alternative perspective on certain techniques: https://github.com/neex/http2smugl