Technical Analysis of "Sandwich Attack"

Overview:
The discussed writeup by landh.tech deals with a new vulnerability known as the "Sandwich Attack," targeting HTTP/2 servers. This attack leverages the multiplexing features of the HTTP/2 protocol, which allows multiple requests and responses to be in flight simultaneously. This attack makes it possible to smuggle malicious HTTP/1.1 requests through an HTTP/2 connection, leading to various security issues.

Key Technical Details:

1. HTTP/2 Multiplexing:

   • Concept: HTTP/2 introduces multiplexing, which allows multiple request-response messages to be sent concurrently over a single connection. Unlike HTTP/1.1, which processes requests serially and can be affected by head-of-line blocking, HTTP/2's multiplexing can interleave and prioritize requests and responses for greater efficiency.
   • Implementation: HTTP/2 frames make this possible; each frame can be a part of a different HTTP message, and they are all interleaved over the same TCP connection.

2. Request Smuggling:

   • Definition: HTTP request smuggling occurs when an attacker sends a crafted HTTP message that appears differently to different front-end and back-end servers, exploiting discrepancies in how these servers parse HTTP requests.
   • Mechanism in HTTP/2: In the context of HTTP/2, an attacker can craft a series of HTTP/2 frames that, when reassembled by the server's HTTP/1.1 parser, result in different, unintended HTTP/1.1 requests.

3. Sandwich Attack Mechanics:

   • Structure: The attack involves sending HTTP/2 frames in a specific order to create two HTTP/1.1 requests on the backend server. These requests can be crafted such that one (the injecting request) contains superfluous headers/trailers, and the other (the smuggled request) gets processed with data intended for the injecting request.
   • Breakdown:
     1. Initial Request: A legitimate HTTP/2 request is sent, which is processed correctly.
     2. Injected Request: The attacker sends multiple HTTP/2 headers/frames such that an innocent front-end considers it as a complete or partial request.
     3. Smuggled Request: The front-end forwards its understanding of the HTTP/2 requests, but the backend interprets these in a manner that includes malicious content.

4. Examples and Demonstrations:

   • Real-World Example: The blog spotlights a scenario with HTTP/1.1 and HTTP/2 interaction where different interpretations of content-length headers, chunked transfer-encoding, and the overall arrangement of request frames can lead to a smuggled request continually being responded to as though it was part of the initial, legitimate HTTP/2 interactions.
   • Code Snippets: Specific code illustrations demonstrate how to construct such disruptive sequences in HTTP/2, which provide a tangible step-by-step understanding of the practical implications of a Sandwich Attack.

5. Impact:

   • Security Implications: The attack creates a pathway for several high-severity issues such as:

     • Cache Poisoning: By smuggling headers and manipulating responses, cache entries can be corrupted, leading to incorrect or malicious content being served to users.
     • Cross-Site Scripting (XSS): Injecting scripts into HTTP responses can exploit vulnerabilities on end-user browsers.
     • Request Forgery and Authorization Bypass: Malicious requests could force backend servers to perform actions as unintended users.

   • Affected Systems: The attack primarily targets configurations where HTTP/2 front-end servers or proxies interact with HTTP/1.1 backend servers.

6. Mitigation Strategies:

   • Consistency in Parsing: Ensuring that both front-end and backend servers adopt consistent rules for parsing HTTP/2 and HTTP/1.1 requests eliminates discrepancies that can be exploited.
   • Server Configuration: Employing strict configurations to handle and reject malformed or ambiguous HTTP requests.
   • Up-to-date Middlewares: Utilizing up-to-date middleware and proxies that are aware of and patched against known request smuggling techniques.

7. Reporting and Fixes:

   • Responsible Disclosure: The researchers carried out responsible disclosure processes with vendors and provided timelines for the patches and fixes made available to eliminate this attack vector.
   • Adoption of HTTP/3: Since HTTP/3 does not reuse TCP semantics and operates over UDP, many of the multiplexing and parsing ambiguities that HTTP/2 exploited would be naturally avoided.

Key Takeaways:

• Understanding Multiplexing Risks: The Sandwich Attack underscores the potential security hazards inherent in the unoptimized handling of multiplexed HTTP/2 connections.
• Discrepancy Exploitation: The attack thrives on discrepancies in request parsing between different HTTP versions; awareness and compatibility checks are crucial for secure server configurations.
• Proactive Mitigations: Regular updates, strict parsing guidelines, and adopting newer HTTP standards can mitigate such advanced attack vectors.
• Comprehensive Testing: Adopt robust testing practices involving HTTP/2 interactions to preemptively identify and patch request smuggling vulnerabilities.

Conclusion:

The "Sandwich Attack" elucidates a significant vector in the ever-evolving HTTP/2 security landscape. By exploiting protocol multiplexing and parsing discrepancies, attackers can surreptitiously inject and execute malicious requests, underscoring the necessity for synchronized, precise parsing mechanisms and proactive security configurations.

For the detailed exploration, the full blog can be accessed here.