Working with HTTP/2 in Burp Suite – The Daily Swig

burpsuite twittercard ProxyEgg Working with HTTP/2 in Burp Suite - The Daily Swig


Many servers now support HTTP/2. This exposes them to potential vulnerabilities that are impossible to test for using tools that only speak HTTP/1. Burp Suite provides unrivaled support for HTTP/2-based testing, allowing you to work with HTTP/2 requests in ways that no other tools can. You can either:

  • Work with an HTTP/1-style representation of the request in the message editor

    Burp normalizes any changes you make and sends an equivalent HTTP/2 request to the server. This is perfect for general testing in cases where the protocol you’re using isn’t important.

  • Work with an HTTP/2 view in the Inspector

    This shows a more accurate representation of the headers and pseudo-headers that will be sent to the server. As this view doesn’t rely on any HTTP/1 syntax, it also enables you to construct attacks using a number of HTTP/2-exclusive vectors.

[embedded content]

Burp’s unique HTTP/2 features give you the opportunity to explore a whole new attack surface that has barely been audited due to the complete lack of any suitable tooling until now. For some real-world examples of what’s possible, check out how one of our researchers was able to use these features to identify and exploit a widespread new vector for request smuggling.

Background concepts

Under the hood, HTTP/2 is very different from HTTP/1. To help you get the most out of these features, we’ve provided a brief overview of the background concepts that are relevant.

Default protocol

By default, Burp speaks HTTP/2 to all servers that advertise support for it during the TLS handshake. This ensures that, even if you’re not conducting any protocol-specific testing, you can still take advantage of the performance improvements provided by HTTP/2 where available.

You can change Burp’s default protocol in the project settings. This is useful if you’re performing testing where it’s necessary to always use HTTP/1. You can still send individual HTTP/2 requests by switching the protocol in the Inspector if necessary.

Keeping track of which protocol you’re using

When testing for protocol-level vulnerabilities, it’s important that you’re aware of which protocol is being used for each request. There are a number of places where this information is displayed:

  • In the message editor, the request line and status line contain the protocol version. This is standard for HTTP/1 messages, but also applies to the editor’s representation of HTTP/2 messages.

  • In Burp Repeater, the current protocol is displayed in the upper-right corner of the screen, next to the target host.

  • In the Inspector, the Request Attributes section displays the protocol version. In non-editable contexts, such as in the proxy history, the highlighted protocol is purely informational. For requests that you’ve intercepted in Burp Proxy or sent to Burp Repeater, you can toggle which protocol you want to use to send the request.

Changing the protocol for a request

Regardless of your default protocol settings, you can manually choose which protocol is used to send each request. To do this, use the toggle switch under Inspector > Request Attributes.

When you change the protocol, Burp performs the necessary transformations to generate an equivalent request in the correct format for the new protocol. This means you can easily upgrade and downgrade individual requests as needed.


When working in the Inspector, it’s possible to create an HTTP/2 request that cannot be accurately represented using HTTP/1 syntax without losing information. Burp refers to this as a “kettled” request. If you try to downgrade such a request, Burp warns you that the request will have to be normalized so that it can be displayed in the editor.

Kettled requests

The Inspector enables you to create HTTP/2 requests that are impossible to accurately represent using HTTP/1 syntax without losing information. In honor of our infamous Director of Research, James Kettle, we’ve coined the term “kettled” to describe such requests.

For example, it’s technically possible to add a newline character inside a header value in HTTP/2. There is no way to show this in HTTP/1 as a newline indicates the end of a header, so anything after it would just appear to be the start of the next header’s name.

Once a request is kettled, the message editor no longer attempts to display an HTTP/1 equivalent of it. You will still be able to see the body of the message, but in place of the headers, Burp will display a notification that tells you why the request is considered kettled. If you want to make further changes to the headers of a kettled request, you need to use the Inspector.


Burp Proxy, Repeater, Logger, and Scanner currently support kettled requests. If you send a kettled request to a tool that doesn’t support them, such as Intruder, it will be normalized so that it can be displayed in the editor.

What can cause a request to become kettled?

Requests become kettled whenever you make the following changes to a request using the Inspector:

  • Adding an uppercase letter or colon to a header name.

  • Adding a newline character to a header name or value.

  • Modifying the value of the :scheme pseudo-header.

  • Adding a space character to the :path or :method pseudo-header.

  • Adding a duplicate pseudo-header.

  • Adding a semicolon and space character to a cookie value.

Unkettling a request

If you accidentally kettle a request, you have a number of options for unkettling it. You can:

  • Undo your changes using the Ctrl/Cmd + Z keys.

  • Use the Inspector to manually reverse the specific changes that have caused the request to be kettled. Check the notification in the editor to see which changes you need to make.

  • Downgrade the request to HTTP/1 using the toggle in the Inspector and dismiss the warning telling you that your changes will be lost. Burp will normalize the request, effectively discarding any changes that are incompatible with HTTP/1.

Kettled requests and extensions

Extensions to generate and issue new kettled requests. This means you’re already able to develop your own extensions for HTTP/2-exclusive testing. Note that extensions are currently unable to modify kettled requests that were originally issued by Burp as they only have access to the normalized, HTTP/1-style representation of Burp’s requests.

HTTP/2 settings

There are a number of settings throughout Burp that let you adjust its behavior when working with HTTP/2.

Changing the default protocol

By default, Burp speaks HTTP/2 to all servers that advertise support for it during the TLS handshake. However, you can change the default protocol so that it uses HTTP/1 unless you explicitly tell it to send an HTTP/2 request. To do this, go to Project Options > HTTP > HTTP/2 and deselect the Default to HTTP/2 if the server supports it option.

You might want to do this if you’re focusing on a vulnerability that specifically requires HTTP/1, such as classic CL.TE or TE.CL request smuggling.

You can still override this global setting for individual requests by using the Protocol toggle under Inspector > Request Attributes.

Repeater options for HTTP/2

From the Repeater menu, you can use the following options to control Burp Repeater’s behavior when handling HTTP/2 requests.

Enforce protocol choice on cross-domain redirections

By default, Repeater will negotiate the protocol as normal when redirected cross-domain. If you enable this option, it will follow any cross-domain redirections using the same protocol that is selected under Inspector > Request Attributes. This is important when testing for HTTP/2-specific vulnerabilities that trigger cross-domain requests.

Enable HTTP/2 connection reuse

By default, Repeater reuses the same connection for multiple HTTP/2 requests. Some servers treat the first request on each connection differently to subsequent requests, which can lead to vulnerabilities appearing intermittent or even being missed entirely. On other servers, sometimes a request will corrupt a connection without causing the server to tear it down, silently influencing how all subsequent requests get processed.

If you run into either of these problems, you can mitigate them by disabling this option so that the request you send is always the first one on the connection.

Strip Connection header over HTTP/2

By default, when an HTTP/2 request contains a Connection header, Burp strips this before sending the request to the server. This is because many HTTP/2 servers will reject requests containing this header.

If you want to experiment with sending the Connection header anyway, you can disable this option.

Disabling HTTP/2 for proxy listeners

In some rare cases, such as when a client has problems with its HTTP/2 implementation, you may want to disable HTTP/2 on the connection between the client and Burp’s proxy listener. To do this, go to Proxy > Options, select the relevant listener, then click Edit. In the dialog, go to the HTTP/2 tab and deselect the Support HTTP/2 checkbox. Burp will then only accept HTTP/1 on this connection even if the client wants to use HTTP/2.

Note that this does not affect the connection between Burp and the server.

Upcoming enhancements for HTTP/2 in Burp

There are some limitations to Burp’s HTTP/2 support. We are currently working on the following enhancements.

Manually testing servers with hidden HTTP/2 support

Burp determines whether the server supports HTTP/2 based on whether it advertises this in the ALPN during the TLS handshake. However, some servers actually do support HTTP/2 even though they don’t advertise it in this way.

Burp Scanner is already able to identify this “hidden” HTTP/2 support, and will report this as an informational issue. Currently, Burp’s manual tools won’t let you send your own HTTP/2 requests to these servers. This will be remedied in a future release.

Increased support for kettled requests

At the moment, some of Burp’s tools cannot handle kettled requests, most notably, Burp Intruder. We aim to enable you to work with kettled requests in all of Burp’s tools in future releases.

Source of this news:

Related posts:

Zenscrape Review: Website HTML Extraction - Designmodo
Share Share Tweet Share Pin It ResourcesEditorial • October 09, 2019 • 5 minutes READ Over time, data has become the core of business strategies and market research. It is being termed as th...
Why Telegram became the go-to app for Ukrainians - despite being rife with Russian disinformation - ...
For weeks, Russia's military assault on Ukraine has been complemented by full-fledged information warfare. The Kremlin has propagandised Russian state media, and is trying to control the narrative on...
Fix Discord Connection issues on Windows PC - TWCN Tech News
Apart from connection errors that is usually listed in the Console Log when you encounter Discord errors, there are general Discord connection issues that you might face while gaming on your Windows ...
Madero Alto Networks: Personal VPNs pose risks to associations - TechTarget
The rise in remote exercise continues to expose network security measures concerns within the enterprise establishing, and a new report by Palo Alto Networks imparts yet another risk -- applying ...
Next Article How AI & proxies drive web scraping -
As public online data acquisition becomes increasingly important to decision-making, AI, web scraping and proxies will continue to find their way into business activities. While the inclusion of AI i...
Zenscrape: A Simple Web Scraping Solution for Penetration Testers - The Hacker News
Did you ever try extracting any information from any website? Well, if you have then you have surely enacted web scraping functions without even knowing it!To put in simpler terms, Web scraping, o...
How to Hide Your IP Address - Lee Stanton - Alphr
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way. Websites keep track of your IP address for various reasons, and in most cases, it’s n...
A security bug in health application Docket exposed COVID-19 shot records - TechCrunch
A security auscultate in the health software package Docket shown the private information of people vaccinated against COVID-19 into New Jersey and Utah, the place app received endorsements a...
EVS unveils asset management shopping cart software for live production, MediaCeption Signature - Ne...
EVS is complete with announced the launch amongst MediaCeption Signature 1 . 0, the company’s latest-generation end-to-end asset management solution on fast turnaround productions. MediaCeption Si...
ESET takes part in global operation to disrupt Zloader botnets - We Live Security
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses ESET has collaborated with partners Microsoft’s Digital Cri...
The best way to Connect to Localhost Within a Docker Container - How-To Nerd
When working with Docker, you usually containerize the services exactly who form your stack and moreover use inter-container networking to be able to communicate between them. Sometimes you must ...
What Are Sneaker Proxies? - Tech Critter
Every successful sneaker buyer uses a variety of tools to get ahead of their peers. If you want to compete with them without the knowledge about what they do, you will be left to do nothing but won...
Fix If your Google Drive Not Syncing - The Laconia Daily Sun
Cloud storages become a leading solution for some individual and organization users due to enhanced data accessibility and safety. That is, many users choose to save their important data to a cloud ...
KrebsOnSecurity Hit By Huge Very new IoT Botnet “Meris” , Krebs on Security instruction Krebs on Sec...
On Saturday evening, KrebsOnSecurity was the person of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. The breach came from “ Meris , ” the same newer botnet be...
Proxy vs. VPN: What's the Difference? Proxy vs VPN: Find out Which is Better - Sprout Wired
Today, people spend a lot of their time online. They use the Internet for work, fun, and communication. This means that a lot of our private data is collected each time we go online which can le...
Review: Group-IB Fraud Hunting Platform - Help Net Security
Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging....
Find Tracing - What You Need to Know difficult techPresident
Contact tracing was, and is, a critical feature in aiding governments monitor the multiplication of the covid-19 virus. Our own NSO-group was right at you see, the forefront of contact searching for...
How to Watch the Olympics (With a VPN): Live Stream Tokyo Games 2021 - Cloudwards
Although a year late, the anachronistically named Tokyo 2020 Olympics are finally here. They’re the fourth Olympic Games held in Japan, but only the second Summer Olympics after Tokyo 1964. A lot of...

IP Rotating Proxy Onsale


First month free with coupon code FREE30