http2fuzz

Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).

There  also aren’t a lot of tools available for doing security testing of it.

Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.

Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.

I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.

Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).

Author: TheKilt

Information Security, Cosmic Horror, Gaming, Homebrewing, BBQ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: