Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP/1.1 requests are silently upgraded to HTTP/2

Mike | Last updated: Jun 14, 2021 09:05PM UTC

I have a setup where I'm running a CLI REST client through Burp Pro. In Burp Proxy History I see: Request ------ GET /some/api/path HTTP/1.1 ... Response ------ HTTP/2 200 ok ... and then my CLI client blows up with "Invalid protocol" error. The HTTP/1.1 spec (RFC 7230 section 6.7) says: > A server MUST NOT switch to a protocol that was not indicated by the client in the corresponding request's Upgrade header field. Section 6.7 goes on to describe how you properly do a protocol uprgade via a 101 Switching Protocols response. As far as I can tell, Burp is initiating an HTTP/2 connection to the server, and then forwarding the HTTP/2 response back to the client that believes it is speaking HTTP/1.1. This is a bug in Burp since it is hard-switching protocols in violation of RFC 7230. The client is correct to kill the connection. Note that if I go to Project Options and disable HTTP/2, then everything works, but this is still a bug in Burp. I can provide more detailed debugging info (like the full req's resp's) to support, but I don't want to post them publicly.

Uthman, PortSwigger Agent | Last updated: Jun 15, 2021 08:21AM UTC

Hi Mike, Thanks for reporting this issue. Our development team is currently investigating. If possible, can you please share some further information with support@portswigger.net?

Uthman, PortSwigger Agent | Last updated: Jun 16, 2021 07:11AM UTC

Hi Mike, We have identified an issue with HTTP/2 incorrectly being reported in responses in some cases. We will update this thread when a fix has been implemented.

Michelle, PortSwigger Agent | Last updated: Jul 23, 2021 01:39PM UTC

Hi We just wanted to let you know that you can re-test this using the latest Early Adopter release of Burp as we have included a fix relating to this issue in version 2021.7 Please let us know if you have any questions.

Mohamed | Last updated: Aug 10, 2021 12:24PM UTC

Problem persists even 2021.8

Uthman, PortSwigger Agent | Last updated: Aug 10, 2021 12:27PM UTC

Hi Sim, Can you please email support@portswigger.net with some steps to replicate and your diagnostics (Help > Diagnostics)? If you could share a URL that this behavior occurs on, that would be great.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.