HTTP/2 request splitting via CRLF injection - Lab#11

In this video, I demonstrate HTTP/2 request splitting via CRLF injection, an advanced desynchronization attack that exploits improper header sanitization when a front-end server downgrades HTTP/2 traffic to HTTP/1.1. This lab is vulnerable because the front-end fails to correctly sanitize HTTP/2 headers before forwarding them to the back-end server. By injecting CRLF sequences, we can split requests at the protocol boundary, leading to response queue poisoning. Using this technique, I show how to interfere with the request flow of an admin user (who logs in every 10 seconds) and gain unauthorized access to the protected /admin panel. From there, we successfully delete the user carlos. 🎯 What you’ll learn in this walkthrough: ✔️ How HTTP/2 request splitting works ✔️ CRLF injection in HTTP/2 headers ✔️ Downgrade desynchronization vulnerabilities ✔️ Response queue poisoning explained ✔️ Exploiting shared back-end connections ✔️ Bypassing admin access controls 🧪 Lab notes: Admin logs in approximately every 10 seconds Back-end connection resets every 10 requests If the connection becomes unstable, simply send a few normal requests to re-sync This lab highlights how modern HTTP/2 implementations can introduce serious security risks when protocol handling is inconsistent between front-end and back-end systems. ⚠️ For educational purposes only. Always test responsibly and within authorized environments. If you’re learning advanced HTTP request smuggling, HTTP/2 exploitation, or preparing for real-world bug bounty hunting, this is a must-watch. 🔖 Hashtags: #HTTPRequestSmuggling #HTTP2 #CRLFInjection #RequestSplitting #WebSecurity #BugBounty #EthicalHacking #PortSwigger #BurpSuite #WebAppSec #CyberSecurity #Pentesting