Now I have all the building blocks needed to prepare a working exploit. For instance, if I create 100 requests to and 50 requests to, Firefox would create two TCP connections. If we need more, we can force Firefox to create a second TCP connection by using a different host name. If you’re not aware of benefits brought by HTTP/2, one of its main selling points is that you can send multiple HTTP requests over a single connection (known as multiplexing) which increases the performance greatly.įirefox has a limit of concurrent requests on a single HTTP/2 connection too but by default it is 100 ( -concurrent in about:config). At this point I had an idea that HTTP/2 could be the solution. So there can be only 6 simultaneous TCP connections to a single server. The limit of 6 connections is enforced on TCP layer. So the request with the leak would never reach the server as there are 6 other blocking connections to the server and we’re going to have a dead-lock. The problem is that this request is put at the end of the queue and by default the browser has a limit of 6 concurrent connections to a single server. After processing the first import, Firefox would queue another request with character leak.
Consider the following example:įirefox would immediately queue all 10 imports. So when there are multiple imports in a stylesheet, Firefox won’t apply any CSS rules until all of the imports are processed. I’ll explain the differences on a few simple examples.įirst of all, Firefox processes stylesheets synchronously. The method from previous paragraph doesn’t work in Firefox at all because of significant differences in processing of stylesheets in comparison to Chrome. The technique works because Chrome processes imports asynchronously, so when any import stops blocking, Chrome immediately parses it and applies it. When the leak of the 2nd character reaches the ATTACKER-SERVER, the 3rd import stop blocking… and so on.When the leak of the 1st character reaches the ATTACKER-SERVER, the 2nd import stops blocking and returns a stylesheet that includes the 1st character and attempts to leak the 2nd one,.The first returns a stylesheet that leaks the 1st character of the token,.In the beginning only the first returns a stylesheet the other ones just block the connection,.
0 kommentar(er)
