h2csmuggler: HTTP Request over HTTP/2 Cleartext (h2c)

Security researchers have found a vulnerability in insecure edge-server configurations, which allows them to bypass proxy rules and access controls.

The bypass has been tested on:

• HAproxy
• Traefik
• Nginx

How does it work?

Bishopfox provided a proof-of-concept code (h2cSmuggler), and it actually breaks down to the following steps:

1. h2cSmuggler transmits an HTTP/1.1 upgrade request to the / endpoint on the NGINX reverse proxy.
2. The proxy forwards the Upgrade and Connection headers to the back end, which responds with “101 Switching Protocols” and prepares to receive HTTP2 communications.
3. Upon receiving the 101 response from the back end, the proxy “upgrades” the connection to an unmanaged TCP tunnel.
4. Upon receiving the 101 response from the proxy, h2cSmuggler reuses the existing connection and exchanges HTTP/2 initialization frames with the server. These include the server’s response for the endpoint requested in the HTTP/1.1 h2c upgrade (the / endpoint).
5. Using HTTP/2 multiplexing, h2cSmuggler sends an additional request for the restricted /flag
6. The proxy, which is no longer monitoring communications in the TCP tunnel, forwards the request to the back-end server.
7. The server responds with the flag.

H2cSmuggler

h2cSmuggler smuggles HTTP traffic past insecure edge-server proxy_pass configurations by establishing HTTP/2 cleartext (h2c) communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls.