HTTP/2: The Sequel is Always Worse

Presented at DEF CON 29 (2021), Aug. 6, 2021, 10 a.m. (45 minutes)

HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC oversights. I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive. Finally, I'll drop multiple exploit-primitives that resurrect a largely-forgotten class of vulnerability, and use HTTP/2 to expose fresh application-layer attack surface. I'll leave you with an open-source scanner, a custom, open-source HTTP/2 stack, and free interactive labs so you can hone your new skills on live systems. REFERENCES: The HTTP/2 RFC is essential reading: https://tools.ietf.org/html/rfc7540 This research is built on my previous work on this topic: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn This presentation by defparam has good explanations of response queue poisoning and self-desync attacks: https://www.youtube.com/watch?v=3tpnuzFLU8g I had a partial research collision with Emil Lerner. His work provides an alternative perspective on certain techniques: https://github.com/neex/http2smugl

Presenters:

• James Kettle / albinowax - Director of Research, PortSwigger Web Security   as James Kettle
  James Kettle is Director of Research at PortSwigger Web Security, where he cultivates novel web attack techniques. Recent work has focused on HTTP Request Smuggling, and using web cache poisoning to turn caches into exploit delivery systems. Past research includes server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He is also the author of multiple popular Burp Suite extensions including HTTP Request Smuggler, Param Miner and Turbo Intruder. He has spoken at numerous prestigious venues including DEF CON, both BlackHat USA and EU, and OWASP AppSec USA and EU. @albinowax https://skeletonscribe.net/

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#kettle
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - James Kettle - HTTP2 - The Sequel is Always Worse.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/James Kettle - HTTP2 - The Sequel is Always Worse - Slides.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/James Kettle - HTTP2 - The Sequel is Always Worse - Whitepaper.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - James Kettle - HTTP2 - The Sequel is Always Worse.srt (subtitles)
• https://www.youtube.com/watch?v=rHxVVeM9R-M

Similar Presentations:

• Black Hat Europe 2021 / HTTP/2: The Sequel is Always Worse
• Black Hat USA 2021 / HTTP/2: The Sequel is Always Worse
• DEF CON 29 (2021) / Response Smuggling: Pwning HTTP/1.1 Connections