0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 2 pages and one asset modified

This commit is contained in:
CPol 2021-04-20 10:02:21 +00:00 committed by gitbook-bot
parent ea33c148e9
commit 79f8f82e55
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/image (446).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

1
SUMMARY.md
View File

@ -343,6 +343,7 @@
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
* [Formula Injection](pentesting-web/formula-injection.md)
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling.md)
* [H2C Smuggling](pentesting-web/h2c-smuggling.md)
* [IDOR](pentesting-web/idor.md)
* [JWT Vulnerabilities \(Json Web Tokens\)](pentesting-web/hacking-jwt-json-web-tokens.md)
* [NoSQL injection](pentesting-web/nosql-injection.md)

28
pentesting-web/h2c-smuggling.md Normal file
View File

@ -0,0 +1,28 @@
# H2C Smuggling
**This information was taken from** [**https://blog.assetnote.io/2021/03/18/h2c-smuggling/**](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)**, for more information follow the link.**
## HTTP2 Over Cleartext \(H2C\) <a id="http2-over-cleartext-h2c"></a>
A normal HTTP connection typically lasts only for the duration of a single request. However, H2C or “**http2 over cleartext”** is where a normal transient http **connection is upgraded to a persistent connection that uses the http2 binary protocol** to communicate continuously instead of for one request using the plaintext http protocol.
The second part of the smuggling occurs when a **reverse proxy is used**. Normally, when http requests are made to a reverse proxy, the proxy will handle the request, process a series of routing rules, then forward the request onto the backend and then return the response. When a http request includes a `Connection: Upgrade` header, such as for a websocket connection, the reverse **proxy will maintain the persistent connection** between the client and server, **allowing for the continuous communication needed for these procotols**. For a H2C Connection, the RFC requires 3 headers to be present:
```text
Upgrade: h2c
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
Connection: Upgrade, HTTP2-Settings
```
So where is the bug? **When upgrading a connection, the reverse proxy will often stop handling individual requests**, assuming that once the connection has been established, its routing job is done. Using H2C Smuggling, we can bypass rules a reverse proxy uses when processing requests such as path based routing, authentication, or the WAF processing provided we can establish a H2C connection first.
![](../.gitbook/assets/image%20%28446%29.png)
## Exploitation <a id="exploitation"></a>
The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted** from the `Connection` header.”
Using the tools ****[**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) ****you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.