Web systems in which the front end accepts connections via HTTP / 2 and transmits a backend for HTTP / 1.1, turned out to be exposed to href=”httpps://portswigger.net/research/http2″> New version Attacks “HTTP Request Smuggling”, which allows sending specially decorated client requests to split into the contents of other users’ requests to be processed in the same stream between the front end and backend. The attack can be used to substitute a malicious JavaScript code into a session with a legitimate site, bypassing access control systems and intercept authentication parameters.
The problem is subject to web proxy, load balancers, web-accelerators, content delivery systems and other configurations in which requests are redirected according to the front-end backend scheme. The author of the study demonstrated the possibility of attack on the Netflix, Verizon, Bitbucket, Netlify CDN and Atlassian system, and received 56 thousand dollars in the benefits of payments for the identification of vulnerabilities. The presence of the problem is also confirmed in F5 Networks products. Partially Problem affects mod_proxy in the Apache HTTP server (CVE-2021-33193).
The means for carrying out attacks have already been added to the Burp and available in the extension form Turbo Intruder .