Burp Suite User Forum

Login to post

http request smuggle (http/2 smuggle probe)

paul | Last updated: Aug 25, 2022 01:53PM UTC

The h2.cl request smuggling lab is straight-forward when performing manually. However, want to make sure the extent to which i can rely on the extension and scanner for detection. When i run the http/2 smuggle probe it doesn't detect an h2.cl vuln. Am i misunderstanding, or are there settings i am likely misconfiguring?

Hannah, PortSwigger Agent | Last updated: Aug 26, 2022 10:55AM UTC

Hi. I've just checked with the extension's author, and currently finding and exploiting H2.CL vulnerabilities are unsupported in HTTP Request Smuggler.

paul | Last updated: Aug 26, 2022 01:29PM UTC

Ok, thank you ... then i'm confused as to the purpose of the http/2 probe extension option. Hoping that can be explained. vr, paul

Hannah, PortSwigger Agent | Last updated: Aug 30, 2022 03:51PM UTC

H2.CL wasn't included as part of HHTP Request Smuggler's checks, as it is not common in the wild. James/albinowax (the extension author) will likely be adding this functionality in an upcoming update.

You need to Log in to post a reply. Or register here, for free.