Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

HttpRequest Transformation to Convert HTTP_MODE

Alexandre | Last updated: Aug 12, 2024 09:04PM UTC

I noticed the withTransformationApplied method and would like to suggest adding a potential HttpTransformation.HTTP_VERSION to the backlog. This could facilitate switching HTTP versions more seamlessly. For example, you might consider implementing something like this: public HttpRequest convertToHttp1(HttpRequest httpRequest) { return httpRequest.withTransformationApplied(HttpTransformation.HTTP_VERSION); } Thanks, Alex

Hannah, PortSwigger Agent | Last updated: Aug 13, 2024 01:34PM UTC

Hi Alex Are you having any issues using "RequestMode" or "RequestOptions.withRequestMode()" on the "sendRequest()" method?

Alexandre | Last updated: Aug 13, 2024 03:46PM UTC

The request consistently defaults to HTTP/2, even though HTTP/1 is specified. HttpRequestResponse httpRequestResponse = montoyaApi().http() .sendRequest(http2Request, HttpMode.HTTP_1); This might be because the request is an HTTP/2 request. As a temporary workaround, I am manually converting the request to HTTP/1, which introduces unnecessary boilerplate code. To simplify this process, I suggest adding an HttpTransformation to handle the conversion from HTTP/2 to HTTP/1 and HTTP/1 to HTTP/2.

Hannah, PortSwigger Agent | Last updated: Aug 14, 2024 02:44PM UTC

Could you tell me how you are determining the request is being sent with HTTP/2? When you send a request in HTTP_1 mode, could you check the outgoing request in "Logger"? If you expand the request attributes section in Inspector, is HTTP/1 selected?

Alexandre | Last updated: Aug 14, 2024 04:21PM UTC

My current workaround involves constructing HTTP/1 or HTTP/2 requests based on an argument, as shown below: HttpRequest = helper.buildHttpRequest(httpMode, data); And the method: private void buildHttpRequest(MyHttpMode httpMode, Data data) { // SNIP return httpMode.equals(MyHttpMode.HTTP_2) ? HttpRequest.http2Request(httpService, http2Headers, body) : HttpRequest.httpRequest() .withService(httpService) .withMethod("POST") .withPath(uri.getPath()) .withHeader(HttpHeader.httpHeader("Content-Type", "application/json")) .withBody(body); } This solution is far from ideal. Since HttpMode does not seem to affect the sendRequest method and the requests are sent using HTTP/2 regardless, this workaround is necessary. This is why I am a suggesting adding this HttpMode transform to MonytoyaApi to abstract this process and eliminate the boilerplate code.

Hannah, PortSwigger Agent | Last updated: Aug 15, 2024 01:05PM UTC

Hi

Burp handles this conversion itself when you specify the HttpMode.

You can see this in the following example:
import burp.api.montoya.BurpExtension;
import burp.api.montoya.MontoyaApi;
import burp.api.montoya.http.HttpMode;
import burp.api.montoya.http.message.requests.HttpRequest;

@SuppressWarnings("unused")
public class Extension implements BurpExtension
{
    @Override
    public void initialize(MontoyaApi montoyaApi)
    {
        HttpRequest request = HttpRequest.httpRequestFromUrl("https://portswigger-labs.net");

        montoyaApi.http().sendRequest(request, HttpMode.HTTP_1);
        montoyaApi.http().sendRequest(request, HttpMode.HTTP_2);
    }
}
If you build and load this extension and then check your Logger tab, you should see two requests, one sent with HTTP/1 and one sent with HTTP/2. To verify which request is sent with which protocol, make sure to expand the "Request attributes" section in Inspector.

We've not made any edits to the request itself, it's the same one sent each time with a different mode.

The only time you should need to build an "http2Request" specifically is if you wish to do something complicated like "kettling" a request (e.g. adding a new line in a header name or value whilst still being part of the same header).

Please let me know how you get on.

Alexandre | Last updated: Aug 16, 2024 02:29PM UTC

After further troubleshooting, I have found that the `HttpMode` in `sendRequest` only functions correctly with `HTTP/1` requests and does not work with `HTTP/2` requests - as you have highlighted in your reply. While it might seem like a small detail, I would appreciate the following improvements: 1. A constructor for `HTTP/1` requests that accepts a `List<HttpHeader>` argument. 2. A `TransformerHelper` to convert between `HTTP/1` and `HTTP/2`. 3. Clear documentation in the JavaDoc for the fact that `HttpMode` in `sendRequest` only work with `HTTP/1` base requests. This would have saved me a significant amount of time during troubleshooting. Thank for your assistance Hannah.

Hannah, PortSwigger Agent | Last updated: Aug 20, 2024 11:45AM UTC