mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 22:20:43 +00:00
29 lines
2.6 KiB
Markdown
29 lines
2.6 KiB
Markdown
|
# H2C Smuggling
|
||
|
|
||
|
**This information was taken from** [**https://blog.assetnote.io/2021/03/18/h2c-smuggling/**](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)**, for more information follow the link.**
|
||
|
|
||
|
## HTTP2 Over Cleartext \(H2C\) <a id="http2-over-cleartext-h2c"></a>
|
||
|
|
||
|
A normal HTTP connection typically lasts only for the duration of a single request. However, H2C or “**http2 over cleartext”** is where a normal transient http **connection is upgraded to a persistent connection that uses the http2 binary protocol** to communicate continuously instead of for one request using the plaintext http protocol.
|
||
|
|
||
|
The second part of the smuggling occurs when a **reverse proxy is used**. Normally, when http requests are made to a reverse proxy, the proxy will handle the request, process a series of routing rules, then forward the request onto the backend and then return the response. When a http request includes a `Connection: Upgrade` header, such as for a websocket connection, the reverse **proxy will maintain the persistent connection** between the client and server, **allowing for the continuous communication needed for these procotols**. For a H2C Connection, the RFC requires 3 headers to be present:
|
||
|
|
||
|
```text
|
||
|
Upgrade: h2c
|
||
|
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
|
||
|
Connection: Upgrade, HTTP2-Settings
|
||
|
```
|
||
|
|
||
|
So where is the bug? **When upgrading a connection, the reverse proxy will often stop handling individual requests**, assuming that once the connection has been established, its routing job is done. Using H2C Smuggling, we can bypass rules a reverse proxy uses when processing requests such as path based routing, authentication, or the WAF processing provided we can establish a H2C connection first.
|
||
|
|
||
|
![](../.gitbook/assets/image%20%28446%29.png)
|
||
|
|
||
|
## Exploitation <a id="exploitation"></a>
|
||
|
|
||
|
The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted** from the `Connection` header.”
|
||
|
|
||
|
Using the tools ****[**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) ****you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
|
||
|
|
||
|
|
||
|
|