Lab: HTTP/2 request splitting via CRLF injection

Our target is to exploit a hypothetical web application, simulating real-world scenarios. To demonstrate HTTP/2 request splitting, we will follow a step-by-step solution provided by the lab:

1. Setup with Burp Suite: Start by sending a request for GET / to Burp Repeater. Expand the Inspector's Request Attributes section and set the protocol to HTTP/2.

2. Poisoning the Response Queue: Change the path of the request to a non-existent endpoint, e.g., /x, ensuring a consistent 404 response. This step poisons the response queue, making it easier to recognize captured responses.

3. CRLF Injection: Using the Inspector, append an arbitrary header with injected \r\n sequences to split the request, smuggling another request to a non-existent endpoint.

    Name: foo
    Value: bar\r\n\r\nGET /x HTTP/1.1\r\nHost: YOUR-LAB-ID.web-security-academy.net
   

   

4. Exploiting Downgrading: Send the request. The front-end server appends \r\n\r\n during downgrading, converting the smuggled prefix into a complete request, thus poisoning the response queue.

5. Capturing Admin's Session Cookie: Wait for about 5 seconds and resend the request to fetch an arbitrary response. Capture a 302 response containing the admin's post-login session cookie. If not successful, send 10 ordinary requests to reset the connection from repeater and try again.

   

   Turn on intercept before accessing the host url as /admin so it can be captured in burp. This should capture the below image. Then send to repeater and replace session in repeater with session gotten from the 302. Turn off intercept after sending captured /admin request to repeater.

   

6. Accessing Admin Panel: Copy the session cookie obtained and use it to send a GET request to /admin. Repeat until you receive a 200 response containing the admin panel.

7. Deleting 'Carlos' to Solve the Lab: In the admin panel response, find the URL for deleting 'carlos' (/admin/delete?username=carlos). Update the path in your request accordingly and send the request to solve the lab.

Conclusion: HTTP/2 request splitting via CRLF injection demonstrates the importance of understanding and addressing potential vulnerabilities in web applications. By following this step-by-step guide, users can enhance their knowledge of web security and contribute to creating a more robust online environment. Stay curious, keep learning, and continue exploring the dynamic field of cybersecurity.

Reference:

https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection