hacktricks/pentesting-web/http-connection-contamination.md

HTTP qachDaq QaD

htARTE (HackTricks AWS Red Team Expert)! htARTE (HackTricks AWS Red Team Expert)!

HackTricks qorwagh:

• QaD HackTricks company advertise download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

This is a summary of the post: https://portswigger.net/research/http-3-connection-contamination. Check it for further details!

Web browsers can reuse a single HTTP/2+ connection for different websites through HTTP connection coalescing, given shared IP addresses and a common TLS certificate. However, this can conflict with first-request routing in reverse-proxies, where subsequent requests are directed to the back-end determined by the first request. This misrouting can lead to security vulnerabilities, particularly when combined with wildcard TLS certificates and domains like *.example.com.

For example, if wordpress.example.com and secure.example.com are both served by the same reverse proxy and have a common wildcard certificate, a browser's connection coalescing could lead requests to secure.example.com to be wrongly processed by the WordPress back-end, exploiting vulnerabilities such as XSS.

To observe connection coalescing, Chrome's Network tab or tools like Wireshark can be used. Here's a snippet for testing:

fetch('//sub1.hackxor.net/', {mode: 'no-cors', credentials: 'include'}).then(()=>{ fetch('//sub2.hackxor.net/', {mode: 'no-cors', credentials: 'include'}) })

ghItlhmeH: ghItlhmeH vItlhutlh HTTP/2 'ej first-request routing rarity vItlhutlh. 'ach HTTP/3 proposed changes, IP address match requirement relax, vItlhutlh servers wildcard certificate more vulnerable without needing a MITM attack, vItlhutlh.

Qapbe'wI'wI': first-request routing in reverse proxies vItlhutlh 'ej wildcard TLS certificates, especially HTTP/3 vItlhutlh, qapbe'wI'wI' vItlhutlh. web security jImej 'ej vItlhutlh, 'e' vItlhutlh vulnerabilities Hoch crucial.

htARTE (HackTricks AWS Red Team Expert) tlhIngan Hol!

HackTricks vItlhutlh:

• tlhIngan Hol HackTricks company advertised want download HackTricks PDF Check the SUBSCRIPTION PLANS!
• official PEASS & HackTricks swag Get the tlhIngan Hol
• The PEASS Family Discover NFTs, exclusive collection our
• Join the 💬 Discord group telegram group peass follow Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.