Discovering QUIC (HTTP/3) services
In recent days we’ve added full support for discovering QUIC [1] services to scarlet, and clients are already finding exposed systems that they didn’t know they had.
If you weren’t already aware, QUIC (and HTTP/3 which it is synonymous with) is rapidly becoming the dominant technology for delivering web content. It has already been adopted by some of the big names (like Google, Facebook and YouTube etc), and it is also enabled by default by some of the hosting providers, CDNs, and web servers. So even if your team hasn’t specifically configured QUIC support, you may already have the services up and running today.
Detecting HTTP/3 services is also a little more involved than the historical web technologies you may be used to. Unlike HTTP/1 and HTTP/2 (which were delivered over TCP), HTTP/3 uses QUIC, which is itself held within UDP packets. To positively identify a service listening on TCP, it’s only necessary to send a handshake packet. With UDP (and especially QUIC) it is necessary to send a correctly formatted, correctly encrypted packet. Otherwise, the service literally just ignores the request, and it may easily go undetected.
Anyway, if you are looking to get your attack surface under control, you know where to come.