HTTP/2 request smuggling via CRLF injection

Description

This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers.

Reproduction and proof of concept

  1. In Burp’s browser, use the lab’s search function a couple of times and observe that the website records your recent search history. Send the most recent POST / request to Burp Repeater and remove your session cookie before resending the request. Notice that your search history is reset, confirming that it’s tied to your session cookie.

  2. Expand the Inspector’s Request Attributes section and change the protocol to HTTP/2.

  3. Using the Inspector, add an arbitrary header to the request. Append the sequence \r\n to the header’s value, followed by the Transfer-Encoding: chunked header:

Name

foo

Value

bar\r\n
Transfer-Encoding: chunked

  1. In the body, attempt to smuggle an arbitrary prefix as follows:

0

SMUGGLED

Observe that every second request you send receives a 404 response, confirming that you have caused the back-end to append the subsequent request to the smuggled prefix.

  1. Change the body of the request to the following:

HTTP header smuggling

  1. Send the request, then immediately refresh the page in the browser. The next step depends on which response you receive:

  • If you got lucky with your timing, you may see a 404 Not Found response. In this case, refresh the page again and move on to the next step.

  • If you instead see the search results page, observe that the start of your request is reflected on the page because it was appended to the search=x parameter in the smuggled prefix. In this case, send the request again, but this time wait for 15 seconds before refreshing the page. If you see a 404 response, just refresh the page again.

  1. Check the recent searches list. If it contains a GET request, this is the start of the victim user’s request and includes their session cookie. If you instead see your own POST request, you refreshed the page too early. Try again until you have successfully stolen the victim’s session cookie.

HTTP header smuggling

  1. In Burp Repeater, send a request for the home page using the stolen session cookie to solve the lab.

Exploitability

An attacker will need to use an HTTP/2-exclusive request smuggling vector to gain access to another user’s account. The victim accesses the home page every 15 seconds.