Burp Suite User Forum

Login to post

Issues between HTTP2 and most extensions

Federico | Last updated: May 11, 2021 09:53AM UTC

Hi, I'm having a strange bug while testing a HTTP2 application (HTTP2 is enabled in Project Options). All the requests generated or modified by the extensions gives a HTTP 400 error, while all the others work correctly. The requests apparently have nothing wrong, including special chars, and some of them are identical to ones executed by Burp Suite core tools. If I send one of those extension-generated requests to the Repeater, it works correctly and does not give a HTTP 400 error. If I run two Burp instances with one as upstream proxy of the other, all the extension-generated requests executed by the first Burp instance work correctly. I tries with many plugins, from Autorize/AutoRepeater to plugins that extend the Scanner, but I always obtain HTTP 400 errors with all of them. For these reasons, I suspect that probably the API methods used to generate HTTP requests are not fully compatible with HTTP2 (maybe IExtenderCallbacks.makeHttpRequest or maybe one of the methods used to build/edit requests). By using two Burp instances or by repeating the requests, the requests are processed by Burp internal core and HTTP2 is probably handled correctly. Thank you. Federico

Uthman, PortSwigger Agent | Last updated: May 12, 2021 08:50AM UTC

Hi Federico, Thank you for your message. Our developers are working on a fix for this as we speak and we will update this thread when it has been implemented.

Garrett | Last updated: May 26, 2021 05:43PM UTC

I'm just replying because I encountered the same issue and wanted to bump the thread/save it for later.

Uthman, PortSwigger Agent | Last updated: May 27, 2021 08:08AM UTC

Hi Garrett, This should be fixed in the latest early adopter (2021.6) release: - https://portswigger.net/burp/releases/professional-community-2021-6?requestededition=professional Can you please give it a try and email support@portswigger.net if the issue persists? Please include diagnostics, steps to replicate, and screenshots.

Tobias | Last updated: Sep 06, 2021 04:46PM UTC

Hi I have the same error. Request from the macro return a 400 error. When I send the message from the session handler tracer to the repater I also see in the top right corner that it says HTTP/1. I use the version 8.2 pro. I have also tried version 6.2. There it does not work either.

Hannah, PortSwigger Agent | Last updated: Sep 07, 2021 11:03AM UTC

Hi Is it the session handling rules you are having issues with, or a particular extension?

Tobias | Last updated: Sep 13, 2021 03:10PM UTC

Hi Hannah, yes a session handling rule with an Macro. The request from the Macro works perfect when its tested in the macrco Config UI but dont work when the Session Handling rule triggerd by repeater or Scanner

Uthman, PortSwigger Agent | Last updated: Sep 13, 2021 04:05PM UTC

Hi Tobias, Can you please replicate the issue and share the information below in an email to support@portswigger.net? - Diagnostics (Help > Diagnostics) - A screen recording of the issue or screenshots with written steps to replicate - Can you replicate this on any site? - Have you disabled HTTP/2 anywhere in Burp? (Either under Project options or on a Proxy Listener)

You need to Log in to post a reply. Or register here, for free.