hacktricks/pentesting-web/http-connection-contamination.md

# HTTP qachDaq QaD

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

HackTricks qorwagh:

* **QaD HackTricks** **company advertise** **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

**This is a summary of the post: [https://portswigger.net/research/http-3-connection-contamination](https://portswigger.net/research/http-3-connection-contamination)**. Check it for further details!

Web browsers can reuse a single HTTP/2+ connection for different websites through [HTTP connection coalescing](https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing), given shared IP addresses and a common TLS certificate. However, this can conflict with **first-request routing** in reverse-proxies, where subsequent requests are directed to the back-end determined by the first request. This misrouting can lead to security vulnerabilities, particularly when combined with wildcard TLS certificates and domains like `*.example.com`.

For example, if `wordpress.example.com` and `secure.example.com` are both served by the same reverse proxy and have a common wildcard certificate, a browser's connection coalescing could lead requests to `secure.example.com` to be wrongly processed by the WordPress back-end, exploiting vulnerabilities such as XSS.

To observe connection coalescing, Chrome's Network tab or tools like Wireshark can be used. Here's a snippet for testing:
```javascript
fetch('//sub1.hackxor.net/', {mode: 'no-cors', credentials: 'include'}).then(()=>{ fetch('//sub2.hackxor.net/', {mode: 'no-cors', credentials: 'include'}) })
```
**ghItlhmeH:** 
ghItlhmeH vItlhutlh HTTP/2 'ej first-request routing rarity vItlhutlh. 'ach HTTP/3 proposed changes, IP address match requirement relax, vItlhutlh servers wildcard certificate more vulnerable without needing a MITM attack, vItlhutlh. 

**Qapbe'wI'wI'**: 
first-request routing in reverse proxies vItlhutlh 'ej wildcard TLS certificates, especially HTTP/3 vItlhutlh, qapbe'wI'wI' vItlhutlh. web security jImej 'ej vItlhutlh, 'e' vItlhutlh vulnerabilities Hoch crucial. 

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>tlhIngan Hol</strong></a><strong>!</strong></summary>

**HackTricks** vItlhutlh:

* **tlhIngan Hol** **HackTricks** **company advertised** **want** **download HackTricks** **PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* **official PEASS & HackTricks swag** Get the [**tlhIngan Hol**](https://peass.creator-spring.com)
* **The PEASS Family** Discover [**NFTs**](https://opensea.io/collection/the-peass-family), **exclusive** **collection** **our**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**peass**](https://t.me/peass) **follow** **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>