In the previous post, we looked at an HTTP/2 downgrade attack where we injected CRLF characters into a header and that allowed us to smuggle the Transfer-Encoding header through the H2 frontend. If the Transfer-Encoding header was provided as a…

In this next lab, we have to go a bit deeper into the differences between how HTTP and HTTP/2 are transferred over the wire and then ultimately processed by a web application. Once again, we are going to be going…

In the previous lab we looked at a H2.TE vulnerability. To exploit, we needed to upgrade the request from HTTP to HTTP/2 and rely on the frontend to downgrade back down to HTTP for its communication with the backend system.…

This is a unique attack and takes advantage of an implementation that accepts HTTP/2 requests but then downgrades the requests to HTTP when communicating with the backend systems. The weakness surfaces in how the Transfer-Encoding header is handled by the…

In this post, we’re going to be looking at utilizing the headers within a smuggled request to fire a cross site scripting payload. This is the 9th blog post in the series I am publishing dealing with Request Smuggling or…