h2spacex 1.2.2

HTTP/2 Single Packet Attack low level library based on Scapy

   H2SpaceX

HTTP/2 low level library based on Scapy which can be used for Single Packet Attack (Race Condition on H2)

• This library was part of an academic research with title of QUIC-er Races: HTTP/3 won’t save you from TOCTOU vulnerabilities.

Dive into Single Packet Attack Article

I wrote an article and published it at InfoSec Write-ups:

• Dive into Single Packet Attack

TODO

• Single Packet Attack - POST
  • implement
• Single Packet Attack - GET
  • Content-Length: 1 Method
  • POST Request with x-override-method: GET header
• Response Parsing
  • implement
  • implement threaded response parser
  • add response times in nano seconds for timing attacks
  • Body Decompression
    • gzip
    • br
    • deflate
• Proxy
  • Socks5 Proxy

Change Log & Beta Versions

• 1.2.2

  • packaging: consolidated build config into pyproject.toml and removed setup.py
    • fixed invalid [options] sections so package discovery is defined correctly
    • exposed the dev extra (twine) that the old setup.py typo had dropped
  • code cleanup
    • removed unused import and a redundant header-normalization call in GET request builder
    • GET requests now respect check_headers_lowercase=False (consistent with other request methods)
  • added tests/ (unit tests for header utilities) and CONTRIBUTING.md (build & release guide)

• 1.2.1

  • merged PR-6
    • implement setup_connection for H2Connection (no TLS)
  • merged PR-7
    • normalize HTTP header names using Parser instead of regex
  • fixed Issue 8
    • parsing issue with raw data frames (packets)

More Research

Some following statements are just ideas and not tested or implemented.

• More Request in a Single Packet
  • Increase MSS (Idea by James Kettle)
  • Out of Order TCP Packets (Idea by James Kettle)
  • IP Fragmentation
• Proxy the Single Packet Request through SOCKS
• Single Packet Attack on GET Requests
  • Content-Length: 1 Method (Idea by James Kettle)
  • x-override-method: GET Method (Idea by James Kettle)
  • Index HPACK Headers to Make GET Requests Smaller
  • HEADERS Frame without END_HEADER Flag
  • HEADERS Frame Without Some Pseudo Headers

Installation

H2SpaceX works with Python 3 (preferred: >=3.8.8)

pip install h2spacex

Error in Installation

if you get errors of scapy:

pip install --upgrade scapy

Quick Start

You can import the HTTP/2 TLS Connection and set up the connection. After setting up the connection, you can do other things:

from h2spacex import H2OnTlsConnection

h2_conn = H2OnTlsConnection(
    hostname='http2.github.io',
    port_number=443,
    ssl_log_file_path="PATH_TO_SSL_KEYS.log"  # optional (if you want to log ssl keys to read the http/2 traffic in wireshark)
)

h2_conn.setup_connection()
...

see more examples in Wiki Page

Examples

See examples which contain some Portswigger race condition examples.

Examples Page

Enhanced Single Packet Attack Method (Black Hat 2024) for Timing Attacks

James Kettle introduced an improved version of Single Packet Attack in Black Hat 2024 for timing attacks:

You can implement this method easily using send_ping_frame() method.

See this Wiki and Parse Response (Threaded) + Response Times for Timing Attacks part:

• New Method README (WIKI)

Improved Version of SPA Sample Exploit

Reference of Improved Method:

• Listen to the whispers: web timing attacks that actually work

References & Resources

• James Kettle DEF CON 31 Presentation
• Portswigger Research Page
• HTTP/2 in Action Book

I also got some ideas from a previous developed library h2tinker.

Finally, thanks again to James Kettle for directly helping and pointing some other techniques.