Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).

ThereĀ  also aren’t a lot of tools available for doing security testing of it.

Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.

Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.

I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.

Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).