Freitag, 24. Juli 2015

HTTP/2 malicious SERVER PUSH (weak POC)

HTTP/2 now supports SERVER PUSH messages

HTTP/2 adds a new interaction mode whereby a server can push responses to a client (Section 8.2). Server push allows a server to speculatively send data to a client that the server anticipates the client will need, trading off some network usage against a potential latency gain. The server does this by synthesizing a request, which it sends as a PUSH_PROMISE frame. The server is then able to send a response to the synthetic request on a separate stream.   
So, in my mind that gives an fraudulent server a great opportunity to do bad stuff to the client. While thinking about it and jumping back out of bed to search for a scenario,  I created the data for this (weak) POC.
I call it a weak POC, cause I guess there is much more, I just wanted to show that it works in some way, what an attacker could do is for others to prove :-)

I used nghttp2 for both, server and client.

The server is started with
 ./nghttpd -v  --echo-upload -p/test=/ --early-response 8081 local.key local.crt
The -p option tell the server to push the EICAR test signature in case /test is requested.

The client than I call with
  ./nghttp -v https://<local ip>:8081/test

On server side we can see

That the server has send the EICAR test signature like I wanted to

This shows up in the client output as well

and gets displayed later on