Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

09:00 PM
Connect Directly

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don't implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 - Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle -- director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol -- this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon's application load balancer, and websites using Imperva's cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, "all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place," with the new protocol. "Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer."

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

"A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end," he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

"This set up is ridiculously common," he noted.  Kettle pointed to Amazon's Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix's back-end to redirect requests from Netflix's front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon's Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post - and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

"Please just avoid HTTP/2 downgrading," he advised. "Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won't work."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-24
Vulnerability in Oracle Linux (component: OSwatcher). Supported versions that are affected are 7 and 8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Linux executes to compromise Oracle Linux. Successful attacks of this vulnerability ca...
PUBLISHED: 2021-09-24
Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp...
PUBLISHED: 2021-09-24
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance...
PUBLISHED: 2021-09-24
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group co...
PUBLISHED: 2021-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.