HTTP Connection Contamination
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
This is a summary of the post: https://portswigger.net/research/http-3-connection-contamination. Check it for further details!
Web browsers can reuse a single HTTP/2+ connection for different websites through HTTP connection coalescing, given shared IP addresses and a common TLS certificate. However, this can conflict with first-request routing in reverse-proxies, where subsequent requests are directed to the back-end determined by the first request. This misrouting can lead to security vulnerabilities, particularly when combined with wildcard TLS certificates and domains like *.example.com
.
For example, if wordpress.example.com
and secure.example.com
are both served by the same reverse proxy and have a common wildcard certificate, a browser's connection coalescing could lead requests to secure.example.com
to be wrongly processed by the WordPress back-end, exploiting vulnerabilities such as XSS.
To observe connection coalescing, Chrome's Network tab or tools like Wireshark can be used. Here's a snippet for testing:
The threat is currently limited due to the rarity of first-request routing and the complexity of HTTP/2. However, the proposed changes in HTTP/3, which relax the IP address match requirement, could broaden the attack surface, making servers with a wildcard certificate more vulnerable without needing a MITM attack.
Best practices include avoiding first-request routing in reverse proxies and being cautious with wildcard TLS certificates, especially with the advent of HTTP/3. Regular testing and awareness of these complex, interconnected vulnerabilities are crucial for maintaining web security.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)