Tools & Prevention

Tools of the Trade

HTTP Request Smuggler (Burp Extension)

The same Burp extension used for HTTP/1.1 smuggling works for HTTP/2.

CL.0 Vulnerability Scanning

What is CL.0?

Another name for H2.CL vulnerability where:

Content-Length: 0 is set
Request body contains only the smuggled request

Running the Scan

Send any HTTP/2 request to Repeater:

GET /index.php?param1=HelloWorld HTTP/2
Host: http2.htb

Right-click → Extensions → HTTP Request Smuggler → CL.0
Leave default settings, press Enter
View results in Extensions → Installed → HTTP Request Smuggler → Output

Example Output

Queueing request scan: CL.0
Found issue: CL.0 desync: h2CL|TRACE /
Target: https://172.17.0.2

Evidence: 
======================================
GET /index.php HTTP/2
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com

======================================
POST /index.php HTTP/1.1
Host: 172.17.0.2:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

TRACE / HTTP/1.1
X-YzBqv: 
======================================

Verifying the Finding

Request 1 (Smuggling):

POST /index.php HTTP/1.1
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

TRACE / HTTP/1.1
X-YzBqv:

Request 2 (Probe):

GET /index.php HTTP/2
Host: 172.17.0.2:8443
Origin: https://wguglsurkz2.com

Expected Results

Request

Response

Request 1

200 OK (normal index)

Request 2

405 Method Not Allowed

405 on Request 2 = Vulnerability confirmed!

Verification Steps

Create tab group in Burp Repeater
Uncheck "Update Content-Length" for first request
Send via separate TCP connections (to prove cross-user impact)
Check for different response on second request

HTTP/2 Prevention

Root Cause

HTTP/2 downgrading is the primary cause of these vulnerabilities.

Problem:  HTTP/2 → Proxy → HTTP/1.1 → Backend
Solution: HTTP/2 → Proxy → HTTP/2 → Backend

Prevention Strategies

1. End-to-End HTTP/2

✅ Implement HTTP/2 between ALL components
✅ No protocol downgrading
✅ Eliminates rewriting vulnerabilities

2. Disable HTTP/1.1 Fallback

✅ Configure proxy to reject HTTP/1.1 backend
✅ Force HTTP/2 or fail

3. Proper Header Validation

✅ Validate CL header matches actual body
✅ Reject TE header in HTTP/2 requests
✅ Check for forbidden characters (CR, LF, NUL)

4. Update Software

✅ Apply security patches
✅ Monitor CVEs for proxy software
✅ Test after updates

Configuration Examples

Nginx (Force HTTP/2 to Backend)

upstream backend {
    server backend:443;
    # Force HTTP/2
    http2_push_preload on;
}

HAProxy

# Reject mixed protocols
http-request deny if !{ ssl_fc_alpn -i h2 }

Summary

Tool

Purpose

HTTP Request Smuggler

Automated CL.0/H2.CL detection

Burp Repeater

Manual verification

Tab Groups

Sequential request testing

Prevention Priority

🔄 HTTP/2 end-to-end - Eliminate downgrading
✅ Validate headers - CL must match body
🚫 Reject TE in HTTP/2 - Per RFC
🔍 Validate characters - No CR/LF/NUL in headers

References

PreviousAdvanced H2 Vulnerabilities NextSkills Assessment

Last updated 1 month ago

hashtagTools of the Trade

hashtagHTTP Request Smuggler (Burp Extension)

hashtagCL.0 Vulnerability Scanning

hashtagWhat is CL.0?

hashtagRunning the Scan

hashtagExample Output

hashtagVerifying the Finding

hashtagExpected Results

hashtagVerification Steps

hashtagHTTP/2 Prevention

hashtagRoot Cause

hashtagPrevention Strategies

hashtag1. End-to-End HTTP/2

hashtag2. Disable HTTP/1.1 Fallback

hashtag3. Proper Header Validation

hashtag4. Update Software

hashtagConfiguration Examples

hashtagNginx (Force HTTP/2 to Backend)

hashtagHAProxy

hashtagSummary

hashtagPrevention Priority

hashtagReferences