Burp community forum

HTTP2 support

tosebro | Last updated: May 04, 2015 12:49AM UTC

I would like to test an application running on HTTP2. Do you have any roadmap for supporting HTTP2?

PortSwigger Agent | Last updated: May 05, 2015 08:22AM UTC

We do plan to add support for (some) HTTP/2 features into Burp, based on the pace of adoption and usage of those features. We can't currently promise an ETA for that support.

Burp User | Last updated: May 09, 2015 04:54AM UTC

Thanks, I'm looking forward to the feature!

Burp User | Last updated: Oct 16, 2015 02:18PM UTC

With apache having added support for HTTP/2, is there any update on an ETA?

PortSwigger Agent | Last updated: Oct 19, 2015 08:06AM UTC

No updates as yet. We're continuing to monitor take-up in real-world applications, and the extent to which downgrading to HTTP/1 continues to reach all of the application-layer attack surface.

Burp User | Last updated: Dec 01, 2015 10:57AM UTC

just ran into the problem that i could not connect to a jetty webserver running on http/2.0. any news on when burp will support http/2.0 ?

PortSwigger Agent | Last updated: Dec 01, 2015 12:23PM UTC

If you create a Proxy match/replace rule to delete the "Upgrade" header in requests, does that help? This will make it look to the server as if the client is not attempting the upgrade to HTTP/2.

PortSwigger Agent | Last updated: Feb 18, 2016 05:29PM UTC

No update at present.

Burp User | Last updated: Oct 17, 2016 11:43AM UTC

Any update as to when Burp will add http2 support?

Burp User | Last updated: Jun 14, 2017 07:33AM UTC

As a penetration tester, i encounter more and more http2 applications. Will it be possible to use burp for this in the near future?

PortSwigger Agent | Last updated: Jun 14, 2017 07:44AM UTC

Hi John, Thanks for getting in touch. HTTP/2 support is definitely on our radar. It's a major change as it moves away from the traditional request/response model that Burp is based on. Our view has been that all HTTP/2 apps are also available as HTTP/1.1. Have you found otherwise? If you can share any information on methodologies you've used for HTTP/2 apps and features that would help you, we'll make a note of those.

PortSwigger Agent | Last updated: Jun 30, 2017 11:10AM UTC

Hi John, At present we are not prioritizing HTTP/2 support. The main reason for this is that all apps are also available over HTTP/1.1 and you can perform testing using HTTP/1.1. While testing with HTTP/2 would be more thorough, we don't think that in practice it will find additional results. If this changes we may reconsider. For example, if we see examples of application flaws that only occur on HTTP/2 that would be interesting. If you only need the standard HTTP/1.1 Burp features, maybe you could set up MITMProxy so that Burp talks HTTP/1.1 to MITMProxy which then talks HTTP/2 to the target app?

Burp User | Last updated: Aug 01, 2017 01:52PM UTC

Hello Paul, When can we excpect HTTP/2-Support in Burp? So far, most of the Backends support both HTTP/1.1 and HTTP/2. The only tool so far that can be used to intercept and display HTTP/2 Traffic so far is MITMProxy, which offers even an API to deal with the requests. Still, for manual Penetration-Testing, this is not very well suited. So far, only the standard burp features that are used in HTTP/1.1 would be completely sufficient for testing Apps that are only available HTTP/2.

Burp User | Last updated: Aug 11, 2017 08:37AM UTC

Hey Paul, You mean something like this here? https://nvd.nist.gov/vuln/detail/CVE-2017-7675 The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL. Sorry to say, but I would prefer to see burp being able to handle HTTP/2.0 instead of using additional proxies along the way.

PortSwigger Agent | Last updated: Aug 11, 2017 08:42AM UTC

We are getting a lot of requests for this. We are going to work on Web Sockets support first. We'll get on to HTTP/2 after.

Burp User | Last updated: Aug 16, 2017 01:16PM UTC

Paul - I understand that most servers will fall back to HTML 1.1 but we need support when specifically looking for HTTP 2 vulnerabilities. When will Burp Suite support HTTP 2? Really need this feature!

Burp User | Last updated: Jan 04, 2018 07:00PM UTC

Just wanted to throw in a "please add this support soon": iOS v11 now defaults to http/2 if the backend server supports it, so the ability to intercept this is becoming an increasingly common use case.

PortSwigger Agent | Last updated: Jan 05, 2018 07:50AM UTC

Hi Jason, Thanks for letting us know. How does iOS v11 behave with Burp inline? Does it revert to HTTP/1.1?

Burp User | Last updated: Jan 24, 2018 07:30AM UTC

Hey, Can you please let us know if HTTP/2 support is to be shipped with Burp? We are getting increased number of applications using HTTP/2.

PortSwigger Agent | Last updated: Jan 24, 2018 08:40AM UTC

Hi Nishaanth, Burp will get HTTP/2 support in the future, but it is likely to be some time. In our experience, all HTTP/2 applications also support HTTP/1.1. We also believe that application flaws that only affect HTTP/2 are likely to be rare, as in most cases application code is not aware of the HTTP version. If you have any experience of either of these not being true, please let us know, as it makes a case for bumping the priority of HTTP/2 support.

Burp User | Last updated: Apr 23, 2018 02:45PM UTC

Hello Burp Support Has HTTP/2 been supported? natively in Burp Suite Pro?

PortSwigger Agent | Last updated: Apr 23, 2018 03:24PM UTC

Hi Jackson, Sorry, HTTP/2 is not implemented at present. It is in the plan, but it is likely to be some time until we get to it.

Burp User | Last updated: Jul 09, 2018 10:06AM UTC

Hello Team, We have seen the applications running HTTP/2 applications supporting HTTP/1.1. Now, we are experiencing few applications not supporting HTTP/1.1 anymore. Expecting HTTP/2 support soon.

PortSwigger Agent | Last updated: Jul 09, 2018 10:07AM UTC

Hi Gareth, thanks for letting us know about that. Can I ask: what context is this happening in? Are these intranet apps or internet-facing?

Burp User | Last updated: Nov 13, 2018 10:41AM UTC

Also getting http/2 only sites now.

Burp User | Last updated: Dec 20, 2018 11:12AM UTC

We also had some internet-facing AND intranet http/2 only web apps recently. Http/2 support is really getting important now... We are also still looking forward to the websocket reply feature!

PortSwigger Agent | Last updated: Dec 20, 2018 11:13AM UTC

DustinC - Can you confirm that these sites are strictly HTTP/2 only and are unable to downgrade to HTTP/1.1?

Burp User | Last updated: Jan 14, 2019 04:38AM UTC

Yeah, I'm running into sites that are HTTP/2 only now. Even if we started a beta version this would be helpful. Thank You.

Burp User | Last updated: Mar 18, 2019 09:18AM UTC

Well, Websockets reply feature & HTTP/2 support will be great for all of the Burp Pro users!!! Please consider this in your plans for 2019 :) Best Regards.

Liam, PortSwigger Agent | Last updated: Mar 18, 2019 09:26AM UTC

We plan to start working on this in early 2020. We'll update you when we've made some progress.

Burp User | Last updated: Jun 07, 2019 04:48PM UTC

Having BurpSuite support for HTTP 2.0 would be excellent for testing IDS evasion

Burp User | Last updated: Oct 02, 2019 09:53AM UTC

It has been 4 years since this support was first requested. HTTP/2.0 is now being replaced for HTTP/3 (https://http3.net) We have seen both HTTP/2 and HTTP/3 in several pentest engagements with clients, it is out there and being used already. Want to be the only tool to support these? Now is your chance.

Burp User | Last updated: Oct 08, 2019 01:19PM UTC

Hi, how is the http3 support looking? I mean http2, but that is already implemented, no?

Liam, PortSwigger Agent | Last updated: Oct 10, 2019 10:57AM UTC

We're monitoring HTTP3 usage. We'll be working on providing HTTP2 support in early 2020.

Burp User | Last updated: Jan 15, 2020 11:08AM UTC

Is there a timeline when HTTP2 support is available? Any alphas or betas that we can try? There is widespread grpc usage in the industry and and burp still does not work with it.

You need to Log in to post a reply. Or register here, for free.