hyper icon indicating copy to clipboard operation
hyper copied to clipboard
verified publisher icon hyperium

Harden against HTTP Desync attacks

Open Sytten opened this issue 2 years ago • 2 comments

Problem HTTP Desync attacks are pretty bad and there are a lot of bad/permissive http implementations out there that act as proxies. I didn't see any discussion / tests of hyper surrounding that so I wanted to start the discussion around the topic given that hyper is now 1.0 (and used in production in a lot of places).

Ideas

  • A suite of tests to demonstrate that an hyper server reacts as best it can (given it doesn't control the proxy)
  • Creating a flag for hardened/more strict version of hyper (server mostly)

For the second point, I would take a lot of work that has been done by AWS already in https://github.com/aws/http-desync-guardian and try to incorporate it in hyper where it makes sense. This includes going more strict than the spec to avoid confusions.

Things like ignoring a CL when a TE is present is risky (even if the spec says that it must be ignored) since a proxy might very well not ignore the CL. So even if hyper is "correct", that won't prevent a leak. Under an hypothetical strict flag, this would result in the request being rejected. https://github.com/hyperium/hyper/blob/210bfaa711b5da1f6756582a2e4bc3e229924800/src/proto/h1/role.rs#L251-L253

Additional context

  • https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
  • https://portswigger.net/research/http2

Sytten avatar Nov 24 '23 04:11 Sytten

Thanks for the suggestion! I agree with the premise, for sure! I have mentioned in other issues the idea of having a "strict" option. (I kinda wonder if it would eventually need to be made multiple options, as people want some strict things but not others.) Another point I think is to consider whether these things need to live in hyper itself, or if it can be part of recommended middleware.

More tests is always welcome, too!

seanmonstar avatar Nov 24 '23 16:11 seanmonstar

Most checks can probably live in middlewares but desync attack operate on the write buffer of the connection to leak data of other users when the proxy reuses the same connection. So I think this would need to live in hyper. Regarding the multiple flags I do agree, maybe similar to the desync attack prevention modes provided by AWS for the ALB?

Sytten avatar Nov 25 '23 02:11 Sytten