Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Offensive Tools

h2c Smuggler: Smuggles HTTP traffic past insecure edge-server proxy_pass configurations

h2c Smuggler upgrades HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections and can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers.


About h2c Smuggler

Features Overview

  • Works on some cleartext channels, and as long as the proxy does not support h2c upgrades and simply forwards the client’s h2c upgrade request to the back end, this attack will likely succeed on non-encrypted channels as well.
  • Can send as many requests as you like via HTTP/2 multiplexing
  • Enables a wide variety of attacks, including: forging internal headers, accessing restricted administrative endpoints, and sometimes Host header SSRF allowing further movement through the network.
  • Maintains a "defense in depth" strategy
  • Works in the event of multiple layers of proxies
  • Makes a strong candidate for low-latency intra-network (i.e., microservice) communication
  • Avoids the management and performance overhead of TLS
  • Tested on newly discovered attack techniques against customers of Bishop Fox's Continuous Attack Surface Testing (CAST)
Bishop Fox Labs Security Researcher Jake Miller

Lead Researcher

Jake Miller

Jake Miller (OSCE, OSCP) is a Bishop Fox alumnus and former lead researcher. While at Bishop Fox, Jake was responsible for overseeing firm-wide research initiatives. He also produced award-winning research in addition to several popular hacking tools like RMIScout and GitGot.

Twitter: @theBumbleSec

GitHub: the-bumble

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.