Security researchers have found a vulnerability in insecure edge-server configurations, which allows them to bypass proxy rules and access controls.
The bypass has been tested on:
How does it work?
Bishopfox provided a proof-of-concept code (h2cSmuggler), and it actually breaks down to the following steps:
- h2cSmuggler transmits an HTTP/1.1 upgrade request to the / endpoint on the NGINX reverse proxy.
- The proxy forwards the Upgrade and Connection headers to the back end, which responds with “101 Switching Protocols” and prepares to receive HTTP2 communications.
- Upon receiving the 101 response from the back end, the proxy “upgrades” the connection to an unmanaged TCP tunnel.
- Upon receiving the 101 response from the proxy, h2cSmuggler reuses the existing connection and exchanges HTTP/2 initialization frames with the server. These include the server’s response for the endpoint requested in the HTTP/1.1 h2c upgrade (the / endpoint).
- Using HTTP/2 multiplexing, h2cSmuggler sends an additional request for the restricted /flag
- The proxy, which is no longer monitoring communications in the TCP tunnel, forwards the request to the back-end server.
- The server responds with the flag.
h2cSmuggler smuggles HTTP traffic past insecure edge-server
proxy_pass configurations by establishing HTTP/2 cleartext (h2c) communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls.