Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).
ThereĀ also aren’t a lot of tools available for doing security testing of it.
Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.
Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.
I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.
Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).
Off-Kilter Security 