Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/5/2021
09:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don't implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 - Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle -- director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol -- this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon's application load balancer, and websites using Imperva's cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, "all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place," with the new protocol. "Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer."

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

"A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end," he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

"This set up is ridiculously common," he noted.  Kettle pointed to Amazon's Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix's back-end to redirect requests from Netflix's front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon's Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post - and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

"Please just avoid HTTP/2 downgrading," he advised. "Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won't work."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33035
PUBLISHED: 2021-09-23
Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the all...
CVE-2021-34767
PUBLISHED: 2021-09-23
A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that V...
CVE-2021-34768
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34769
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34770
PUBLISHED: 2021-09-23
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a deni...