Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

9/16/2020
04:20 PM
Seth Rosenblatt
Seth Rosenblatt
Edge Features
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

h2c Smuggling: A New 'Devastating' Kind of HTTP Request

The newly discovered form of HTTP request smuggling could have widespread impact because any proxy can be affected, researchers say. Here's what infosec pros should know.

A new type of hack that piggybacks malicious Web requests alongside legitimate ones could be used to create a broad range of havoc in an organization, a report from cybersecurity company Bishop Fox reveals. 

"Devastating." That's how Bishop Fox lead researcher Jake Miller described this new new form of HTTP request smuggling -- dubbed "h2c smuggling" -- in a September blog post. H2c is established protocol shorthand for HTTP/2 initiated by a HTTP/1.1 Upgrade header sent over cleartext communication. The attack occurs when a hacker uses h2c to send requests to an intermediary server (known as a proxy server), which can then evade the server access controls.

Related Content:

SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps

Email Security Threat Report

Ad Fraud: The Multibillion-Dollar Cybercrime CISOs Might Overlook

The consequences of h2c smuggling can be severe and are "a significant business risk," Miller said in an email. Hackers could use it to forge internal headers and access internal network endpoints.

Who's Vulnerable to h2c Smuggling?
Although Miller declined to state the number of Bishop Fox clients with the h2c smuggling vulnerability, he said he rushed publication of the blog post detailing the vulnerability because of the large number of clients impacted. 

"We found affected servers across a diverse set of clients (such as different industries, different offerings, and relative size), indicating that this issue doesn't seem to be confined to a particular type of organization," he said. 

The vulnerability appears to have such a potentially large scope of impact because "any" proxy can be affected, including proxied endpoints such as /api/ or /payments/, which can also be affected independently of other proxied endpoints.

Consumers won't be affected directly by h2c smuggling, but unauthorized access to their data or actions taken with or to their accounts could happen, said Miller.

"The key takeaway is that if your application relies on proxies to sanitize HTTP requests, it's critical to ensure that you are not forwarding arbitrary Upgrade headers, as it could expose you to h2c smuggling attacks," he said. "For organizations relying on proxies to prevent access to sensitive endpoints or restricting use of internal headers, this technique would allow attackers to bypass these controls."

Are There Attacks in the Wild? 
Because h2c smuggling has never been described before, Miller doesn't know whether it's been exploited by hackers. But similar HTTP request smuggling and forgeries that exploit inconsistencies in how HTTP is processed have been used to access internal management dashboards, perform IP address spoofing, impersonate actions for other customers or system users, and take advantage of header-based routing systems to gain further access in an organization's network. 

The hardest part of using h2c to attack an organization is to figure out what kind of damage can be done once the hacker has gotten access to the internal network, says James Kettle, director of research at London-based security company PortSwigger, and one of the security researchers who has made significant discoveries in the realm of HTTP request smuggling.

"The smuggling research that I've done, and others have done recently, can give you access to users or the website. This technique, h2c smuggling, just gives you direct access to the backend servers," Kettle explains. "It's really nice research that I'm annoyed I missed discovering when I was looking at this about a year ago."

How to Stop h2c Smuggling
Bishop Fox released a tool for checking if an organization is vulnerable to h2c smuggling on proxy servers. There are two methods so far for stopping h2c smuggling. But to stop the vulnerability from being exploited in the first place, Miller said here are only two viable options.

The first involves mandating WebSocket support for HTTP/1.1 upgrade headers. The second is to disable WebSocket support altogether and disable forwarding Upgrade headers.

"From a triage perspective, it's hopefully a simple fix given that it can be addressed through a configuration change for most products," he said.

 

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
   OVER THE EDGE
Gone in a Flash

Source: StaySafeOnline.org

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Mask Out
Flash Poll