HTTP/2 Attacks Beyond Request Smuggling

TL;DR

Yes, HTTP/2 introduces new attack vectors beyond traditional request smuggling. These stem from its binary framing layer and stream multiplexing features. This guide explains common attacks and how to mitigate them.

Understanding the Difference

HTTP/1.1 relies on text-based messages separated by carriage returns and line feeds. Request Smuggling exploits ambiguities in parsing these messages, particularly with Content-Length and Transfer-Encoding headers. HTTP/2 uses a binary framing layer which is less prone to those specific issues but introduces new ones.

Common HTTP/2 Specific Attacks

1. Stream Multiplexing Abuse: HTTP/2 allows multiple requests (streams) over a single TCP connection. Attackers can manipulate stream priorities and dependencies to exhaust server resources or cause denial of service.
   • Priority Manipulation: Sending streams with very high priority can starve lower-priority legitimate requests.
   • Stream Reset Attacks: Repeatedly opening and resetting streams can overwhelm the server’s connection handling.
2. Header Field Size Limits: While HTTP/2 supports larger headers, servers may still have internal limits. Sending excessively large header fields can cause crashes or resource exhaustion.
   • Testing Header Limits: Use tools like curl with custom headers to identify server limitations.

     curl -H 'X-Large-Header: A'*10000 + 'B' http://example.com

3. Settings Frame Attacks: HTTP/2 uses SETTINGS frames to configure connection parameters (e.g., maximum header list size, window size). Maliciously crafted settings can disrupt the connection.
   • SETTINGS_MAX_FRAME_SIZE: Reducing this value too low can cause fragmentation issues and potentially denial of service.
   • SETTINGS_INITIAL_WINDOW_SIZE: Setting a very small initial window size can limit data flow.
4. Continuation Frame Attacks: Continuation frames are used to send header fields that exceed the maximum frame size. Attackers can manipulate these frames to cause parsing errors.
   • Invalid Continuation Frames: Sending continuation frames without a preceding header frame or with incorrect dependencies can crash the server.
5. PUSH Stream Attacks (Server-Side): If your server implements HTTP/2 Server Push, attackers might be able to trigger pushes of unwanted resources, leading to resource exhaustion.
   • Unsolicited Pushes: Attackers could potentially force the server to push large files to clients without their request.

Mitigation Strategies

1. Keep Software Updated: Regularly update your web servers, application frameworks, and any HTTP/2 libraries. Security patches often address vulnerabilities related to these attacks.
2. Implement Strict Header Validation: Validate all incoming header fields for size, format, and content. Reject requests with invalid headers.
3. Limit Stream Multiplexing: Configure a reasonable maximum number of concurrent streams per connection. This prevents resource exhaustion from excessive stream creation.
   • Nginx Example: In your Nginx configuration:

     http2_max_concurrent_streams 100;

4. Monitor Connection Settings: Log and monitor HTTP/2 connection settings frames. Detect any suspicious or unexpected changes.
5. Disable Server Push (If Not Needed): If you don’t require server push functionality, disable it to eliminate the associated attack surface.
6. Web Application Firewall (WAF): Deploy a WAF capable of inspecting HTTP/2 traffic. Modern WAFs can detect and block many of these attacks.
7. Rate Limiting: Implement rate limiting on connections and streams to prevent abuse.

Tools for Testing

• nghttp2: A command-line tool for HTTP/2 testing.
• curl (with HTTP/2 support): Useful for sending custom headers and observing server responses.
• Wireshark: For capturing and analyzing HTTP/2 traffic at the packet level.