We made a new tool, QuicDraw(H3), because HTTP/3 race condition testing is currently trash.

We’ve just released a tool that fixes a particularly annoying problem for those trying to fuzz HTTP/3. The issue is that QUIC is designed to prevent network bottlenecks (HOL blocking), which is beneficial, but it disrupts the fundamental timing required for exploiting application-level race conditions. We tried all the obvious solutions, but QUIC’s RFC essentially blocks fragmentation and other low-level network optimizations. 🤷‍♂️ So, we figured out a way to synchronize things at the QUIC stream layer using a technique we call Quic-Fin-Sync. The gist: Set up 100+ requests, but hold back the absolute last byte of data for each one. The server gets 99.9% of the data but waits for that last byte. We send the final byte (and the crucial QUIC FIN flag) for all 100+ requests in one single UDP packet. This one packet forces the server to “release” all the requests into processing near-simultaneously. It worked way better than existing methods in our tests—we successfully raced a vulnerable Keycloak setup over 40 times. If you are pentesting HTTP/3, grab the open-source tool and let us know what you break with it. The full write-up is below. What’s the most frustrating thing you’ve run into trying to test QUIC/HTTP/3? submitted by /u/ES_CY [link] [comments]Technical Information Security Content & DiscussionRead More