A new type of hack that piggybacks malicious Web requests alongside legitimate ones could be used to create a broad range of havoc in an organization, a report from cybersecurity company Bishop Fox reveals.
“Devastating.” That’s how Bishop Fox lead researcher Jake Miller described this new new form of HTTP request smuggling — dubbed “h2c smuggling” — in a September blog post. H2c is established protocol shorthand for HTTP/2 initiated by a HTTP/1.1 Upgrade header sent over cleartext communication. The attack occurs when a hacker uses h2c to send requests to an intermediary server (known as a proxy server), which can then evade the server access controls.
The consequences of h2c smuggling can be severe and are “a significant business risk,” Miller said in an email. Hackers could use it to forge internal headers and access internal network endpoints.
Who’s Vulnerable to h2c Smuggling?
Although Miller declined to state the number of Bishop Fox clients with the h2c smuggling vulnerability, he said he rushed publication of the blog post detailing the vulnerability because of the large number of clients impacted.
“We found affected servers across a diverse set of clients (such as different industries, different offerings, and relative size), indicating that this issue doesn’t seem to be confined to a particular type of organization,” he said.
The vulnerability appears to have such a potentially large scope of impact because “any” proxy can be affected, including proxied endpoints such as /api/ or /payments/, which can also be affected independently of other proxied endpoints.
Consumers won’t be affected directly by h2c smuggling, but unauthorized access to their data or actions taken with or to their accounts could happen, said Miller.
“The key takeaway is that if your application relies on proxies to sanitize HTTP requests, it’s critical to ensure that you are not forwarding arbitrary Upgrade headers, as it could expose you to h2c smuggling attacks,” he said. “For organizations relying on proxies to prevent access to sensitive endpoints or restricting use of internal headers, this technique would allow attackers to bypass these controls.”
Are There Attacks in the Wild?
Because h2c smuggling has never been described before, Miller doesn’t know whether it’s been exploited by hackers. But similar HTTP request smuggling and forgeries that exploit inconsistencies in how HTTP is processed have been used to access internal management dashboards, perform IP address spoofing, impersonate actions for other customers or system users, and take advantage of header-based routing systems to gain further access in an organization’s network.
The hardest part of using h2c to attack an organization is to figure out what kind of damage can be done once the hacker has gotten access to the internal network, says James Kettle, director of research at London-based security company PortSwigger, and one of the security researchers who has made significant discoveries in the realm of HTTP request smuggling.
“The smuggling research that I’ve done, and others have done recently, can give you access to users or the website. This technique, h2c smuggling, just gives you direct access to the backend servers,” Kettle explains. “It’s really nice research that I’m annoyed I missed discovering when I was looking at this about a year ago.”
How to Stop h2c Smuggling
Bishop Fox released a tool for checking if an organization is vulnerable to h2c smuggling on proxy servers. There are two methods so far for stopping h2c smuggling. But to stop the vulnerability from being exploited in the first place, Miller said here are only two viable options.
The first involves mandating WebSocket support for HTTP/1.1 upgrade headers. The second is to disable WebSocket support altogether and disable forwarding Upgrade headers.
“From a triage perspective, it’s hopefully a simple fix given that it can be addressed through a configuration change for most products,” he said.
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also … View Full Bio