Learn more about the http/2 smuggling vulnerability in Cloudflare. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team is ready to help customers with http/2 smuggling vulnerability in Cloudflare.

All About http/2 smuggling vulnerability in Cloudflare

When a request is made to a Cloudflare website via HTTP/2, Cloudflare offers weaker validation after the hundredth before forwarding it to an upstream. If the Cloudflare client’s HTTP server accepts the request. It parses the HTTP headers ending in a tab or space character. This leads to a request/response desynchronization in the HTTP/1.1 due to the initial HTTP/2 attacker’s request.

HTTP request smuggling can lead to account hijacking, HTTP Cache poisoning, and so on.

Attackers trigger desynchronization in order to use something like transfer-encoding : chunked. Cloudflare forwards this as it is and the customer’s software will attempt to interpret it. As per HTTP specification, transfer-encoding is giver higher priority over content length. In other words, HTTP request smuggling type CL.TE will occur, where it is the length of http2 stream, instead of Content-Length.

For instance,
If we run the following code:

go run cfsmugl.go request <https://www.cloudflare.com/> 
"transfer-encoding : pizza"

We will wind up with a 503 error since the upstream is not sure about decoding the imaginary pizza transport encoding request. However, if we run the following code:

go run cfsmugl.go request <https://www.cloudflare.com/> 
"transfer-encoding : chunked"

In this scenario, the request will hang since the upstream is expecting a body that is not going to arrive.

Moreover, if we disable sending the additional 100 headers with -skip-magic-headers, then switch to the program, we will wind up getting the usual responses as usual 200 responses.
The detect subcommand offers different ways to detect if a client is parsing and using a header with a space at the end.

Mitigation: http/2 smuggling vulnerability in Cloudflare

Interestingly, this bug was fixed by the Cloudflare team. However, we can expect to see similar issues in different load balances, hosting providers, and CDSs with HTTP/2 support. If you think you are vulnerable to a smuggling attack, our Support Team can help you out.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, our skilled Support Engineers at Bobcares helped us understand more about http/2 smuggling vulnerability in Cloudflare.