HTTP/3 connection contamination: an upcoming threat?

by Prapattimynk, Sunday, 20 August 2023 (6 months ago)
HTTP/3 connection contamination: an upcoming threat?

I recently documented a dangerous reverse-proxy behaviour called first-request routing, which enables host-header attacks on back-end systems. In this post, I’ll show how first-request routing also enables a client-side, browser-based attack called HTTP connection contamination. This technique works on systems running HTTP/2, and is likely to become a greater threat with the advent of HTTP/3. The video above is a five minute presentation explaining this threat from a high level, and the rest of this post covers the full technical details.

Web browsers have a shiny feature called HTTP connection coalescing, which lets them reuse a single HTTP/2+ connection for requests going to different websites, provided that the sites resolve to the same IP address and use a TLS certificate valid for both hostnames.

First-request routing is a dangerous reverse-proxy behaviour where the proxy analyses the first request on a connection to work out which back-end end to route it to, and then sends all subsequent requests on that connection to the same back-end.

Connection coalescing and first-request routing do not play well together. For example, imagine and are both sat behind a reverse proxy using a certificate valid for *

$ nslookup // reverse proxy that supports HTTP/2 and does first-request routing

$ nslookup // same reverse proxy

$ openssl s_client -connect
subject=/CN=* // wildcard TLS certificate

If a browser tries to send a request to followed by, browser connection coalescing will force both requests down a single connection to the front-end. First-request routing will result in the  request to incorrectly being routed to the WordPress back-end. This means that if you find XSS on, you can use it to compromise!

// create HTTP/2+ connection
fetch('', {credentials: 'include'})

// connection coalescing will force this down the same connection...
// ...leading to the front-end misrouting it to WordPress
// the browser thinks our injected JS is coming from
// exposing saved passwords, cookies, etc.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.