HTTP/2 adds a new interaction mode whereby a server can push responses to a client (Section 8.2). Server push allows a server to speculatively send data to a client that the server anticipates the client will need, trading off some network usage against a potential latency gain. The server does this by synthesizing a request, which it sends as a PUSH_PROMISE frame. The server is then able to send a response to the synthetic request on a separate stream. https://http2.github.io/http2-spec/So, in my mind that gives an fraudulent server a great opportunity to do bad stuff to the client. While thinking about it and jumping back out of bed to search for a scenario, I created the data for this (weak) POC.
I call it a weak POC, cause I guess there is much more, I just wanted to show that it works in some way, what an attacker could do is for others to prove :-)
I used nghttp2 for both, server and client.
The server is started with
./nghttpd -v --echo-upload -p/test=/eicar.com.txt.gz --early-response 8081 local.key local.crtThe -p option tell the server to push the EICAR test signature in case /test is requested.
The client than I call with
./nghttp -v https://<local ip>:8081/test
On server side we can see
That the server has send the EICAR test signature like I wanted to
This shows up in the client output as well
and gets displayed later on