HTTP Pipelining

Back in the days when internet was slow and HTTPS weren't often used, people didn't use pipelining. But when HTTPS were introduced, it slowed down users user experience a lot.

HTTP Pipelining Chart

Without pipelining, a new TCP connection is created for each element that is requested from a webpage. For example a user is navigating to /myBio.html. Here the page requests two images and a JavaScript file. Due to thousands of people using a websites, it all got slow in combination with HTTPS because a new TCP connection was opened for each individual request to the webserver. In this instance two TCP connections are opened for the two photos, one for the JavaScript file and another for the html file /myBio.html. This dramatically slows the webserver down back in the days when everyone had a slow internet connection.

However, by using this 1 TCP connection, each subsequent request have to be completed for the TCP connection to be closed when using HTTP pipelining. So effectively, we are able to smuggle inside more requests into the server through one singular connection, making it work hard to give us the requested content.

In todays day and age, the average person has a fast internet connection speed and therefore pipelining is not particularly effective. This optimization technique is generally not recommended and is mostly seen as a security issue. There are better optimization and speed enhancing techniques that are a safer option.

Exploiting

By starting a new request within the same request, the webserver, concatenates each response to one massive response. In theory, an adversary could consume all available TCP connections and thus cause a Denial of Service. By requesting, for example, a very large file such as a video, I've managed to make the response complete at a surprising 180+ seconds.

In some instances, some websites have set a timeout for how long a connection can be open. Apache keeps it at 300 seconds by default.

However, I have never managed to do a significant impact with this but have read some articles about some exploits involving HTTP pipelining somewhere.

Required for exploitation

  1. The type of connection must be HTTP/1.1. If HTTP/2 is used, untick it at Settings > Network > HTTP > Untick HTTP/2
  2. Untick Update Content-Length in Repeater tab

Request

GET /scripts HTTP/1.1
Host: www.example.com

GET /scripts HTTP/1.1
Host: www.example.com

GET /scripts HTTP/1.1
Host: www.example.com

HTTP Pipelining Burp Request