exploit

Exploits

This page contains information about exploiting Last Frame Synchronization (also known as Single Packet Attack) on HTTP/3.

Last Frame Synchronization for Requests with a Body

See lfs_requests_with_body.go

Last Frame Synchronization for Requests without Body (GET requests within a single packet)

See lfs_requests_without_body.go

Last Frame Synchronization for Requests without Body (GET requests with FAKE DATA Frames)

See lfs_requests_without_body_cl.go

Sending Empty QUIC STREAM frame instead of fake DATA frame

see lfs_requests_with_body_empty_quic_stream_frame.go Only set http3.SendRequestsWithLastFrameSynchronizationMethod lastByteNum to 0!

Extra

LFS third method, Can be sent via fake body with content length for example:

Content-Length: 2
...OTHER HEADERS...

BODY:
aa

This request converts into:

1. Send all requests [HEADERS frame + DATA(a)] with FIN=0
2. Send all requests [DATA(a) frame] with FIN=1 within a Single Packet

Also, it can be sent via only a fake empty DATA frame.