Burp Suite User Forum

Create new post

Non-ascii http2 header value is incorrectly handled

ttera | Last updated: Oct 24, 2022 12:18AM UTC

Burp converts non-ascii http2 header value to "?" (0x3F). Example PHP code to reproduce the bug: ---------------------- <?php header("Location: https://aaa\xFF.bbb"); ---------------------- Burp shows: ----------------------- HTTP/2 302 Found Location: https://aaa?.bbb ----------------------- Hex value for "?" is "3f" on Burp's Hex tab (it must be 0xFF, not 0x3F). This is confusing when testing non-ascii attack patterns. Note that cURL tells that actual byte is 0xFF. ----------------------- 0000: 6c 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 73 3a location: https: 0010: 2f 2f 61 61 61 ff 2e 62 62 62 0d 0a //aaa..bbb.. location: https://aaa▒.bbb -----------------------

Hannah, PortSwigger Agent | Last updated: Oct 25, 2022 10:45AM UTC

Hi Could you drop us an email at support@portswigger.net with some more information, please?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.