H2SpaceX

HTTP/2 low level library based on Scapy which can be used for Single Packet Attack (Race Condition on H2)

Dive into Single Packet Attack Article

I wrote an article and published it at InfoSec Write-ups:

• Dive into Single Packet Attack

TODO

• Single Packet Attack - POST
  • [x] implement
• Single Packet Attack - GET
  • [x] Content-Length: 1 Method
  • [x] POST Request with x-override-method: GET header
• Response Parsing
  • [x] implement
  • [ ] implement threaded response parser
  • [x] Body Decompression
    • [x] gzip
    • [x] br
    • [x] deflate
• Proxy
  • [x] Socks5 Proxy

More Research

Some following statements are just ideas and not tested or implemented.

• More Request in a Single Packet
  • Increase MSS (Idea by James Kettle)
  • Out of Order TCP Packets (Idea by James Kettle)
  • IP Fragmentation
• Proxy the Single Packet Request through SOCKS
• Single Packet Attack on GET Requests
  • Content-Length: 1 Method (Idea by James Kettle)
  • x-override-method: GET Method (Idea by James Kettle)
  • Index HPACK Headers to Make GET Requests Smaller
  • HEADERS Frame without END_HEADER Flag
  • HEADERS Frame Without Some Pseudo Headers

Installation

H2SpaceX works with Python 3 (preferred: >=3.10)

pip install h2spacex

Quick Start

You can import the HTTP/2 TLS Connection and set up the connection. After setting up the connection, you can do other things:

from h2spacex import H2OnTlsConnection

h2_conn = H2OnTlsConnection(
    hostname='http2.github.io',
    port_number=443
)

h2_conn.setup_connection()
...

see more examples in Wiki Page

Examples

See examples which contain some Portswigger race condition examples.

Examples Page

References & Resources

• James Kettle DEF CON 31 Presentation
• Portswigger Research Page
• HTTP/2 in Action Book

I also got some ideas from a previous developed library h2tinker.

Finally, thanks again to James Kettle for directly helping and pointing some other techniques.