The technique involves forcing a downgrade from HTTP/2 to HTTP/1.1 using malformed headers. This exploits parsing gaps in WAFs that protect HTTP/2 endpoints, allowing attackers to bypass their protections. This bypass can then be chained for more advanced attacks like HTTP request smuggling or gaining hidden access to the target. By manipulating the way the WAF parses HTTP protocols, attackers trick it into missing malicious payloads or unauthorized requests. This method targets the discrepancies in how HTTP versions are processed, particularly in environments that support both HTTP/2 and HTTP/1.1. Hunters can use this technique to bypass various WAF protections on endpoints that support HTTP/2, potentially leading to exposure to multiple types of vulnerabilities such as injection, XSS, or unauthorized access. Understanding and testing for these parsing gaps is crucial in strengthening WAF defenses against such downgrade and smuggling attacks. Peace and Salam!
Original tweet: https://twitter.com/insecrez/status/1965274954825695650