Alternative (ab)uses for HTTP Alternative Services


Trishita Tiwari and Ari Trachtenberg, Boston University


The HTTP Alternative Services header (Alt-Svc) was introduced in 2013 in a bid to streamline load balancing, protocol optimizations, and client segmentation, and it has since been subsequently implemented in almost all mobile and desktop browsers. We show that the major implementations of the header are independently susceptible to a variety of stealthy abuse. Indeed, we demonstrate how Alternative Services may be leveraged to scan ports blacklisted by browsers, probe firewalled hosts, and mount Distributed Denial of Service attacks. These services may also be misused to bypass popular phishing and malware protection services like Safe Browsing, and also online site checkers like VirusTotal, URLVoid, Sucuri and IPVoid. In the privacy realm, the Alt-Svc header may be abused for user tracking: at the network layer by Internet Service Providers (ISPs), and at the application layer by first and third party websites (where we bypass third-party tracking protections on Firefox, Chrome and Brave). In a similar manner, the header may be used by transiently connected ISPs to exfiltrate parts of a victim's browser history. Our attacks work, to varying extents, on Firefox, Tor, Chrome, and Brave browser, and have been disclosed accordingly--so far, one of our vulnerabilities been patched by Mozilla as CVE-2019-11728. We conclude with proposed mitigations for some of these abuses.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238592,
author = {Trishita Tiwari and Ari Trachtenberg},
title = {Alternative (ab)uses for {HTTP} Alternative Services},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {},
publisher = {USENIX Association},
month = aug