Generate Certificates and spin up the environment with docker-compose:Īll of the proxies deny access to the /flag endpoint accessible on the h2c back end. docker-compose will simulate three chains of proxies that lead to an h2c-enabled Golang back end:Ĩ001: HAProxy -> h2c backend (Insecure default configuration)Ĩ002: nginx -> h2c backend (Insecure custom configuration)Ĩ003: Nuster -> HAProxy -> h2c backend (Insecure configuration with multiple layers of proxies) The test environment will allow you to experiment with h2cSmuggler in a controlled environment. The only dependency is the Python hyper-h2 library: See the technical post for additional guidance.
HOW TO INSTALL HAPROXY ON KALI LINUX UPGRADE
To remediate, do not forward user-supplied values for Upgrade or Connection headers. In the demo below, we demonstrate accessing an internal /flag endpoint by using h2c smuggling to bypass proxy deny rules. Once you have identified an affected endpoint that can be used for tunneling, you can now access or brute-force internal endpoints on the back-end server and provide custom verbs or headers.
Use the -scan-list option to test one or more web servers to look for affected proxy_pass endpoints. For example, h2c-enabled proxies may respond to the upgrade instead of forwarding it to an h2c back end.
Because h2c is intended to be performed only on cleartext channels, detection on HTTPS services often yields true positives.īy contrast, HTTP services may result in false positives. Technical breakdown of the vulnerabilityĪny proxy endpoint that forwards h2c upgrade headers can be affected.H2cSmuggler smuggles HTTP traffic past insecure edge-server proxy_pass configurations by establishing HTTP/2 cleartext (h2c) communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls.
0 kommentar(er)
