New dangerous HTTP attack discovered: h2c smuggling via HTTP/2 Cleartext (h2c)

Cybersecurity specialists have detected a new HTTP request smuggling attack that uses a mix of legitimate and malicious requests with the ability to generate multiple problems for any corporate network. The report was filed by security firm Bishop Fox.

Jake Miller, the report’s investigator, says the consequences of this attack can be devastating to any system. The attack, dubbed “h2c smuggling,” is based on the HTTP/2 protocol, initiated by an HTTP/1.1 header sent through unencrypted communication, and occurs when a threat actor uses h2c to send requests to an intermediary server (or proxy server), capable of bypassing server access mechanisms.

La imagen tiene un atributo ALT vacío; su nombre de archivo es h2c01.jpg

According to the expert, malicious hackers could use this attack to forge headers in internal communications and access the endpoints of a compromised network. Miller says it published the vulnerability due to the large number of clients that could be impacted by the attack: “We found affected servers in all kinds of organizations, suggesting that this flaw could be a general problem,” he adds. 

Regarding the scope of this failure, the expert believes that its impact could be large enough to affect any proxy, including endpoints such as APIs or payments that could be affected regardless of other proxy endpoints.

La imagen tiene un atributo ALT vacío; su nombre de archivo es h2c02.jpg

Consumers may not be directly affected by this attack, although unauthorized access to their account information may occur: “Organizations that rely on proxies to prevent access to sensitive terminals could restrict the use of internal headers to mitigate attack risk,” Miller says.

This is a barely discovered attack vector, so researchers have not been able to determine if it has been actively exploited. Previously, counterfeiting and smuggling attacks on similar HTTP requests have been used, leveraging HTTP processing failures to access internal management panels, perform spoofing attacks, unlawfully accessing the networks of thousands of organizations.

Of course, the active implementation of this attack has its own limitations. For example, threat actors would have to figure out exactly what malicious tasks might be performed once they have accessed the compromised networks, mitigating the negative impact since this method only provides access to backend systems.