nuclei
nuclei copied to clipboard
projectdiscovery
Implement an option to force use of HTTP/2
Hello Team,
When I was testing a target, all the request was resulting in 403. By further checking, I found that the site is returning 403 if HTTP/2 is not used.
I think that there should be an option that force nuclei to use HTTP/2 for all the outgoing request. It should also include the ones that has specified HTTP/1.1 in raw format in template.
Confirmed. The connection upgrade does not happen, and even the explicit HTTP2 request via the raw requests are being ignored. Temporary solution until this gets fixed is to proxy through BurpSuite, because it automatically upgrades the requests.
Without proxy:
Template with HTTP/2 raw request:
id: http2-test
info:
name: test
author: forgedhallpass
severity: info
description: HTTP2 test
requests:
- raw:
- |
GET / HTTP/2.0 # <--- note this. HTTP/2 doesn't work either
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- true
@forgedhallpass - note httputil package prints HTTP/1.1-like requests, it doesn't print HTTP/2 requests:
HTTP/2 requests are dumped in HTTP/1.x form, not in their original binary representations.
Source: https://cs.opensource.google/go/go/+/refs/tags/go1.19.1:src/net/http/httputil/dump.go;l=208-209
Make sure you've verified the HTTP1.0 protocol is being used with something like tcpdump or wireshark.
@forgedhallpass - note
httputilpackage prints HTTP/1.1-like requests, it doesn't print HTTP/2 requests:HTTP/2 requests are dumped in HTTP/1.x form, not in their original binary representations.
Source: https://cs.opensource.google/go/go/+/refs/tags/go1.19.1:src/net/http/httputil/dump.go;l=208-209
Make sure you've verified the HTTP1.0 protocol is being used with something like tcpdump or wireshark.
That's true, because HTTP2 is binary, but still the text representation should show HTTP2 if the request was made using HTTP2. Furthermore the functionality was tested against a host that does not respond to HTTP1.x requests. You can see the differences in the first two screenshots.
Possible implementations:
ForceAttemptHTTP2Transport Option:
http.Transport = &http.Transport{ForceAttemptHTTP2: true}
- Using pure http2 client:
import `golang.org/x/net/http2`
...
transport := &http2.Transport{}
Related: https://github.com/projectdiscovery/team-backlogs/issues/157
Hey there folks, first off y'all are the best! I have reached out on Twitter previously asking how to sponsor you / donate. This needs to be an option! I and so many others would!
With regards to this issue I also see this behavior. HTTP/2 is one part to this, but I would also be interested in being able to send a request with an HTTP version that doesn't exist as well.
id: bla-test
info:
name: test
author: forgedhallpass
severity: info
description: BLA-test-E-test
requests:
- raw:
- |
GET / BLA/1.0 # <--- note this. BLA/1.0 doesn't work either. Expected. based on current issue
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- true
@hateshape thank you, we appreciate your kindness; sharing feedback and bugs is what donation mean to us, we don't accept monetary donations as the community already did a lot to let us do this full time.
You can pass any malformed request/header if you need to add unsafe: true into your template. for example -
id: bla-test
info:
name: test
author: pdteam
severity: info
description: BLA-test-E-test
requests:
- raw:
- |
GET / BLA/1.0
Host: {{Hostname}}
unsafe: true
matchers:
- type: dsl
dsl:
- true
echo https://example.com | nuclei -t test.yaml -debug-req
[INF] Using Nuclei Engine 2.7.8 (outdated)
[INF] Using Nuclei Templates 9.2.9 (latest)
[INF] Templates added in last update: 45
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] [bla-test] Dumped HTTP request for https://example.com/
GET / BLA/1.0
Host: example.com
[2022-11-21 21:37:54] [bla-test] [http] [info] https://example.com
Check out the documentation for more details - https://nuclei.projectdiscovery.io/templating-guide/protocols/http/#unsafe-http-requests, also feel free to join the discord server if you any additional questions/feedback.
