Exploiting Race Conditions in Web Applications with HTTP/2

Thumbnail Image

Files

master_Papli_Kaspar_2020.pdf (10.57 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2020-10-20

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

79

Series

Abstract

Race conditions are a well-known problem in environments where there are several concurrent execution flows, such as threads or processes. Web applications often run in such a multithreaded environment, in which client requests are handled by worker threads that may execute the same code concurrently. Exploiting race conditions usually requires sending several exactly timed parallel requests to prompt the server to process them in parallel, potentially invoking the race condition. There are published methods on how to accomplish sending exactly timed concurrent requests in HTTP/1.x but previously no HTTP/2-specific methods were known. In this thesis, we propose two novel techniques for exploiting race conditions on applications that serve their content over HTTP/2. Both techniques exploit new features introduced in HTTP/2 for synchronising the timing of concurrent requests. These techniques are implemented using a new low-level HTTP/2 client library called h2tinker that was developed as part of this thesis. This Python library enables researchers to experiment with HTTP/2 and different implementations, providing fast prototyping capabilities and extensibility. Several previous attacks are implemented with h2tinker as examples. We provide an overview of all state-of-the-art methods for request synchronisation, including the two proposed novel methods and one previously unpublished method for HTTP/1.1 that exploits the head-of-line blocking problem in TCP. These methods are analysed and compared. In addition to exploiting race conditions, request synchronisation methods could be useful for improving other attacks, such as remote timing attacks. Therefore, these methods could be of independent interest in the future.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Bjørstad, Tor Erling
Leiknes, Erlend

Keywords

http/2, race condition, web application security, http, head-of-line blocking, last byte synchronisation

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202010255996

Collections

[dipl] Perustieteiden korkeakoulu / SCI