1

Has anyone maybe a link to HTTP security topics in general?

I find often breadcrumbs, like in several different attack possibilities, but nothing comprehensive.

Mostly regarding HTTP 1.1 / HTTP 2 (h2c) and proxying.

I'm currently unclogging an whole ecosystem of proxies, endpoints, edge nodes and so on...

My knowledge is limited and it's frustrating to Google cause seemingly I get always just pieces of the puzzles but not a collection -.-

(Looking for specific information, e.g. regarding attacks like H2C Smuggling, HPACK attacks, stuff regarding Cookies / Headers / Encoding... But please not spread over several dozen pages where it becomes frustrating to read the same shit over and over again without learning something new :( )

Comments
  • 2
    If you want a TLDR, the first basic thing is using https.

    The next one is security HTTP headers: Strict-Transport-Security, Content-Security-Policy, Feature-Policy, Permissions-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options.

    If you're really advanced, CAA for the DNS is also a nice thing.
  • 1
    It's an reverse proxy ecosystem.

    It has an TLS terminator right at the beginning of the forwarding chain.

    That's why I mentioned H2C Smuggling / H2C.

    Question regarding the headers is more focused on attack vectors - e.g. what should be filtered, what possibilities exist to derive information from the headers and so on ;)
  • 0
    @IntrusionCM Well I'm not really deep into that one, but from my superficial knowledge, you have two options how to deal with H2C.

    Either you do need websocket support, in which case you only allow the value "websockets" for the http/1 upgrade header. Or you don't need websocket support, then you can just not forward the upgrade header.

    Edit: here one link that I faintly remembered from last year: https://labs.bishopfox.com/tech-blo...
Add Comment