HTTP Connection Contamination

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

This is a summary of the post: https://portswigger.net/research/http-3-connection-contamination. Check it for further details!

Web browsers can reuse a single HTTP/2+ connection for different websites through HTTP connection coalescing, given shared IP addresses and a common TLS certificate. However, this can conflict with first-request routing in reverse-proxies, where subsequent requests are directed to the back-end determined by the first request. This misrouting can lead to security vulnerabilities, particularly when combined with wildcard TLS certificates and domains like *.example.com.

For example, if wordpress.example.com and secure.example.com are both served by the same reverse proxy and have a common wildcard certificate, a browser's connection coalescing could lead requests to secure.example.com to be wrongly processed by the WordPress back-end, exploiting vulnerabilities such as XSS.

To observe connection coalescing, Chrome's Network tab or tools like Wireshark can be used. Here's a snippet for testing:

fetch('//sub1.hackxor.net/', {mode: 'no-cors', credentials: 'include'}).then(()=>{ fetch('//sub2.hackxor.net/', {mode: 'no-cors', credentials: 'include'}) })

The threat is currently limited due to the rarity of first-request routing and the complexity of HTTP/2. However, the proposed changes in HTTP/3, which relax the IP address match requirement, could broaden the attack surface, making servers with a wildcard certificate more vulnerable without needing a MITM attack.

Best practices include avoiding first-request routing in reverse proxies and being cautious with wildcard TLS certificates, especially with the advent of HTTP/3. Regular testing and awareness of these complex, interconnected vulnerabilities are crucial for maintaining web security.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated