1 of 36

FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies

Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi,

Tommaso Innocenti, Kaan Onarlioglu*, Engin Kirda

Northeastern University, *Akamai Technologies

2 of 36

HTTP/1

funny cats

POST /search HTTP/1.1

host: google.com

user-agent: chrome

content-length: 16

query=funny+cats

3 of 36

HTTP/1 HTTP/2

Head-of-line blocking
Repeating headers

4 of 36

HTTP/2

HEADERS

-----------------------

:method = POST�:path = /search

:authority = google.com

CONTINUATION

-----------------------

content-length = 16�user-agent = chrome

+ END_HEADERS

DATA

-----------------------

query=funny+cats�user-agent = chrome

+ END_STREAM

5 of 36

HTTP/2-to-HTTP/1 Conversion

HEADERS

-----------------------

:method = POST�:path = /search

:authority = google.com

CONTINUATION

-----------------------

content-length = 16�user-agent = chrome

+ END_HEADERS

DATA

-----------------------

query=funny+cats�user-agent = chrome

+ END_STREAM

Origin

Reverse �Proxy

POST /search HTTP/1.1

host: google.com

user-agent: chrome

content-length: 16

query=funny+cats

6 of 36

HTTP/2-to-HTTP/1 Conversion

Compatibility and performance reasons
No support for HTTP/2 to the upstream in 9/10
Confirmed later in experiments

7 of 36

Research Goal

Investigate the security implications of conversion anomalies
Focusing on body-related conversion anomalies

Past research has looked at HRS vector in the H2-to-H1 conversion

POST / HTTP/1.1

host: example.com

content-length: 5

BBBBB

POST / HTTP/1.1

host: example.com

transfer-encoding: chunked

5

BBBBB

0

POST / HTTP/1.1

host: example.com

8 of 36

Research Goal

Investigate the anomalies in the conversion process and and their security implications.

9 of 36

Past Research

Conversion anomalies only in the context of HTTP Request Smuggling
Request body parsing at the root of the recent HTTP attacks

10 of 36

Our Research

Focus on body-related conversion anomalies
Not a specific type of anomaly and attack

11 of 36

FRAMESHIFTER: HTTP/2 Fuzzer

Generating HTTP/2 Frame Sequences

<METHOD> ::= GET | POST | HEAD

<URI> ::= /search | http://google.com/search

<HEADERS-BLOCK> ::= …

<CONTINUATION> ::= …

<DATA> ::= …

12 of 36

FRAMESHIFTER: HTTP/2 Fuzzer

Generating an HTTP/2 Input

<METHOD> ::= GET | POST | HEAD

<URI> ::= /search | http://google.com/search

<HEADERS-BLOCK> ::= …

13 of 36

FRAMESHIFTER: HTTP/2 Fuzzer

Mutating an HTTP/2 Frame Sequence

HEADERS

-----------------------

:method = POST�:path = /search

:authority = google.com

CONTINUATION

-----------------------

content length =

user-agent = chrome

+ END_HEADERS

DATA

-----------------------

query=funny+cats�user-agent = chrome

+ END_STREAM

\t

_

-

16

1-

14 of 36

FRAMESHIFTER: HTTP/2 Fuzzer

Mutating HTTP/2 Frame Sequences

HEADERS

-----------------------

:method = POST\t�:path = /search

:authority = google.com

CONTINUATION

-----------------------

content_length = 1.

user-agent = chrome

+ END_HEADERS

DATA

-----------------------

query=funny+cats�user-agent = chrome

+ END_STREAM

CONTINUATION

--------------------

some-header = any

any-header = other

+ END_HEADERS

HEADERS

--------------------

otherheader = any

someheader = other

+ END_STREAM

15 of 36

FRAMESHIFTER: HTTP/2 Fuzzer

Mutating an HTTP/2 Frame Sequence

HEADERS

-----------------------

:method = POST\t�:path = /search

:authority = google.com

CONTINUATION

-----------------------

content_length = 1.

user-agent = chrome

+ END_HEADERS

DATA

-----------------------

query=funny+cats�user-agent = chrome

+ END_STREAM

CONTINUATION

--------------------

some-header = any

any-header = other

+ END_HEADERS

HEADERS

--------------------

otherheader = any

someheader = other

+ END_STREAM

HEADERS

--------------------

otherheader = any

someheader = other

+ END_STREAM

16 of 36

Experiments

HTTP/2

HTTP/1

Akamai | Cloudflare | CloudFront | Fastly

17 of 36

Anomalies

18 of 36

Anomalies

POST / HTTP/1.1

content-length: 15

BBBBB

POST / HTTP/1.1

transfer-encoding: chunked

5\r\nBBBBB

POST / HTTP/1.1

content-length: 5&

BBBBB

POST / HTTP/1.1

content-length: 5

content-length: 10

BBBBB

POST / HTTP/1.1

transfer-encoding: chunked, chunked

5\r\nBBBBB\r\n0\r\n\r\n

POST / HTTP/1.1

content-length: 5\n

BBBBB

19 of 36

Anomalies

POST / HTTP/1.1

content-length: 15

BBBBB

POST / HTTP/1.1

content-length: 5&

BBBBB

POST / HTTP/1.1

content-length: 5

content-length: 10

BBBBB

POST / HTTP/1.1

transfer-encoding: chunked, chunked

5\r\nBBBBB\r\n0\r\n\r\n

20 of 36

21 of 36

Attacks

22 of 36

Denial of Service

Origin

Reverse �Proxy

POST /search HTTP/1.1

content-length: 10

BBBBB

23 of 36

Denial of Service

Origin

Reverse �Proxy

POST /search HTTP/1.1

content-length: 10

BBBBB

24 of 36

Denial of Service

Origin

Reverse �Proxy

25 of 36

Request Blackholing

POST /search HTTP/1.1

content-length: 10

BBBBB

26 of 36

Request Blackholing

POST /search HTTP/1.1

content-length: 10

BBBBB

POST / HTTP/1.1

content-length: 12

page=account

27 of 36

Request Blackholing

POST /search HTTP/1.1

content-length: 10

BBBBB

POST / HTTP/1.1

content-length: 12

page=account

400 Bad Request

28 of 36

Request Blackholing

Origin

Reverse �Proxy

POST /search HTTP/1.1

content-length: 10

BBBBB

POST /search HTTP/1.1

content-length: 5

BBBBB

29 of 36

30 of 36

Query of Death

31 of 36

Request Smuggling

32 of 36

Request Smuggling

GET /search HTTP/1.1

content-length: 32

GET / HTTP/1.1

host: victim.com

33 of 36

34 of 36

Affected Server Pairs

35 of 36

Disclosure

Golang – the owner of Caddy library – assigns a CVE
Apache Traffic Server CVE
Varnish confirmation
Envoy Proxy gap in the DoS protection
Akamai remediation effort

36 of 36

Conclusion

Open-source HTTP/2 Fuzzer
Systematic approach to study the conversion anomalies
Novel attack vectors
Worked with vendors for the mitigation