Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->
09:00 PM
Connect Directly

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don't implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 - Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle -- director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol -- this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon's application load balancer, and websites using Imperva's cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, "all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place," with the new protocol. "Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer."

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

"A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end," he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

"This set up is ridiculously common," he noted.  Kettle pointed to Amazon's Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix's back-end to redirect requests from Netflix's front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon's Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post - and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

"Please just avoid HTTP/2 downgrading," he advised. "Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won't work."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-26
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
PUBLISHED: 2023-01-26
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.
PUBLISHED: 2023-01-26
An access control issue in Revenue Collection System v1.0 allows unauthenticated attackers to view the contents of /admin/DBbackup/ directory.
PUBLISHED: 2023-01-26
Revenue Collection System v1.0 was discovered to contain a SQL injection vulnerability at step1.php.
PUBLISHED: 2023-01-26
Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.