Web cache poisoning via HTTP/2 request tunnelling - Lab#20

In this video, I demonstrate an advanced web cache poisoning attack using HTTP/2 request tunnelling, a modern desynchronization technique that works even when classic request smuggling is not possible. This lab is vulnerable because the front-end server downgrades HTTP/2 requests and fails to consistently sanitize incoming headers. Although it doesn’t reuse back-end connections (preventing traditional smuggling), it is still exploitable via request tunnelling. By leveraging this flaw, we inject a crafted request that poisons the cache, causing the application to serve a malicious response to other users. When the victim (who visits the home page every 15 seconds) loads the page, their browser executes alert(1), confirming a successful attack. 🎯 What you’ll learn in this video: ✔️ What HTTP/2 request tunnelling is ✔️ How it differs from classic request smuggling ✔️ Exploiting inconsistent header sanitization ✔️ Performing web cache poisoning via desync attacks ✔️ Delivering malicious payloads to unsuspecting users ✔️ Real-world impact of HTTP/2-based vulnerabilities 🧪 Lab Highlights: No back-end connection reuse (no classic smuggling) Vulnerable to HTTP/2 tunnelling Cache poisoning used to target victim users Victim visits the home page every 15 seconds ⚠️ Disclaimer: This content is for educational purposes only. Always test responsibly in authorized environments. 👍 If you found this helpful, don’t forget to like, comment, and subscribe for more expert-level cybersecurity walkthroughs! 🔖 Hashtags: #HTTPRequestSmuggling #HTTP2 #RequestTunnelling #WebCachePoisoning #WebSecurity #BugBounty #EthicalHacking #PortSwigger #CyberSecurity #BurpSuite #WebAppSec #Pentesting #OWASP