HTTP/3 will be the new de-facto standard for communication in web applications. Despite its increasing integration into modern browsers, its security properties have not yet been fully investigated. A significant problem is represented by request smuggling attacks, which may constitute a critical issue concerning web applications’ security and privacy, leading to critical consequences such as cache poisoning, session hijacking, and Denial Of Service (DOS). This category of attacks is particularly interesting as it involves abusing the characteristics of the HTTP protocol to manipulate and craft malicious requests that the server will misinterpret, creating desynchronizations between the frontend and the backend. In this paper, we present the first taxonomy of request smuggling attacks in HTTP/3. Specifically, we focus on conversion and validation issues observed in HTTP/2 that can persist in HTTP/3 environments. Since these attacks depend on how proxies parse incoming requests, we also present a methodology to discover possible header validation issues that can cause request smuggling in proxies and frameworks. Finally, we apply this methodology to four proxies and a Python framework, finding various incoherences in their ways to parse malformed requests. Our work aims to underscore the importance of vigilance in current and future applications utilizing HTTP/3 protocols to mitigate potential security risks. Despite the limited availability of libraries and frameworks supporting HTTP/3 at the present moment, its rapid adoption calls for consideration and analysis of its security.
HTTP/3 will not Save you from Request Smuggling: A Methodology to Detect HTTP/3 Header (mis)Validations
Pisu, Lorenzo;Loi, Federico;Maiorca, Davide;Giacinto, Giorgio
2024-01-01
Abstract
HTTP/3 will be the new de-facto standard for communication in web applications. Despite its increasing integration into modern browsers, its security properties have not yet been fully investigated. A significant problem is represented by request smuggling attacks, which may constitute a critical issue concerning web applications’ security and privacy, leading to critical consequences such as cache poisoning, session hijacking, and Denial Of Service (DOS). This category of attacks is particularly interesting as it involves abusing the characteristics of the HTTP protocol to manipulate and craft malicious requests that the server will misinterpret, creating desynchronizations between the frontend and the backend. In this paper, we present the first taxonomy of request smuggling attacks in HTTP/3. Specifically, we focus on conversion and validation issues observed in HTTP/2 that can persist in HTTP/3 environments. Since these attacks depend on how proxies parse incoming requests, we also present a methodology to discover possible header validation issues that can cause request smuggling in proxies and frameworks. Finally, we apply this methodology to four proxies and a Python framework, finding various incoherences in their ways to parse malformed requests. Our work aims to underscore the importance of vigilance in current and future applications utilizing HTTP/3 protocols to mitigate potential security risks. Despite the limited availability of libraries and frameworks supporting HTTP/3 at the present moment, its rapid adoption calls for consideration and analysis of its security.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
