idea
- no frontend server needed, just between browser and server
http anomalies
- open HTTP/1.1 connection, sometimes only the first request within the pipeline is checked, e.g., for used hostname
- http/2 request with potential problem?
:method POST
:path /
0
malicious-prefix
seems like Amazon ALB automatically add chunked encoding (when using http/2)
-
regular cl.te http/1.1, over separate connections
-
connection-locked CL.TE
-
cl.0? server ignores content-length?
client-side desync
- victim goes to evil website
- two requests are send by the victim’s browser
- exploit
- store second request (with credentials) somewhere
- chain & pivot: add random http headers
- attack the user
stacked head teachnique?
HTTP request in initial request:
POST /assets # this performs a single redict and triggers the client-side sync HEAD /404 GET /x?script GET / other-site
Chrome does an overread.. → use cache-buster so that request takes longer switch to cors-mode so that browser gets an error instead of redirect
poison redict
pause-based dsync
use cases
- server ignores content-length
- reqeust can be triggered cross-domain (POST without CORS-triggering headers)
- server leaves connection open