Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

HTTP2 support

tosebro May 04, 2015 12:49AM UTC

I would like to test an application running on HTTP2.
Do you have any roadmap for supporting HTTP2?

Dafydd Stuttard May 05, 2015 08:23AM UTC Support Center agent

We do plan to add support for (some) HTTP/2 features into Burp, based on the pace of adoption and usage of those features. We can’t currently promise an ETA for that support.

tosebro May 09, 2015 04:54AM UTC
Thanks, I'm looking forward to the feature!

Burp User Oct 16, 2015 02:18PM UTC
With apache having added support for HTTP/2, is there any update on an ETA?

Dafydd Stuttard Oct 19, 2015 08:07AM UTC Support Center agent

No updates as yet. We’re continuing to monitor take-up in real-world applications, and the extent to which downgrading to HTTP/1 continues to reach all of the application-layer attack surface.

red667 Dec 01, 2015 10:57AM UTC
just ran into the problem that i could not connect to a jetty webserver running on http/2.0.

any news on when burp will support http/2.0 ?

Dafydd Stuttard Dec 01, 2015 12:25PM UTC Support Center agent

If you create a Proxy match/replace rule to delete the “Upgrade” header in requests, does that help? This will make it look to the server as if the client is not attempting the upgrade to HTTP/2.

Justin Palk Oct 17, 2016 11:43AM UTC
Any update as to when Burp will add http2 support?

Dafydd Stuttard Oct 18, 2016 03:59PM UTC Support Center agent

No update at present.

John Jun 14, 2017 07:33AM UTC
As a penetration tester, i encounter more and more http2 applications. Will it be possible to use burp for this in the near future?

Paul Johnston Jun 14, 2017 07:49AM UTC Support Center agent

Hi John,

Thanks for getting in touch.

HTTP/2 support is definitely on our radar. It’s a major change as it moves away from the traditional request/response model that Burp is based on.

Our view has been that all HTTP/2 apps are also available as HTTP/1.1. Have you found otherwise?

If you can share any information on methodologies you’ve used for HTTP/2 apps and features that would help you, we’ll make a note of those.

John Aug 01, 2017 01:52PM UTC
Hello Paul,

When can we excpect HTTP/2-Support in Burp?
So far, most of the Backends support both HTTP/1.1 and HTTP/2. The only tool so far that can be used to intercept and display HTTP/2 Traffic so far is MITMProxy, which offers even an API to deal with the requests. Still, for manual Penetration-Testing, this is not very well suited.
So far, only the standard burp features that are used in HTTP/1.1 would be completely sufficient for testing Apps that are only available HTTP/2.

Paul Johnston Aug 02, 2017 08:13AM UTC Support Center agent

Hi John,

At present we are not prioritizing HTTP/2 support. The main reason for this is that all apps are also available over HTTP/1.1 and you can perform testing using HTTP/1.1. While testing with HTTP/2 would be more thorough, we don’t think that in practice it will find additional results.

If this changes we may reconsider. For example, if we see examples of application flaws that only occur on HTTP/2 that would be interesting.

If you only need the standard HTTP/1.1 Burp features, maybe you could set up MITMProxy so that Burp talks HTTP/1.1 to MITMProxy which then talks HTTP/2 to the target app?

Stefan Aug 11, 2017 08:37AM UTC
Hey Paul,

You mean something like this here?

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Sorry to say, but I would prefer to see burp being able to handle HTTP/2.0 instead of using additional proxies along the way.

Stephen Aug 16, 2017 01:16PM UTC
Paul -

I understand that most servers will fall back to HTML 1.1 but we need support when specifically looking for HTTP 2 vulnerabilities. When will Burp Suite support HTTP 2? Really need this feature!

Paul Johnston Aug 18, 2017 02:28PM UTC Support Center agent

We are getting a lot of requests for this. We are going to work on Web Sockets support first. We’ll get on to HTTP/2 after.

Jason Ross Jan 04, 2018 07:00PM UTC
Just wanted to throw in a "please add this support soon": iOS v11 now defaults to http/2 if the backend server supports it, so the ability to intercept this is becoming an increasingly common use case.

Paul Johnston Jan 05, 2018 09:42AM UTC Support Center agent

Hi Jason,

Thanks for letting us know. How does iOS v11 behave with Burp inline? Does it revert to HTTP/1.1?

Nishaanth Jan 24, 2018 07:30AM UTC

Can you please let us know if HTTP/2 support is to be shipped with Burp? We are getting increased number of applications using HTTP/2.

Paul Johnston Jan 24, 2018 09:00AM UTC Support Center agent

Hi Nishaanth,

Burp will get HTTP/2 support in the future, but it is likely to be some time. In our experience, all HTTP/2 applications also support HTTP/1.1. We also believe that application flaws that only affect HTTP/2 are likely to be rare, as in most cases application code is not aware of the HTTP version. If you have any experience of either of these not being true, please let us know, as it makes a case for bumping the priority of HTTP/2 support.

jack son Apr 23, 2018 02:45PM UTC
Hello Burp Support

Has HTTP/2 been supported? natively in Burp Suite Pro?

Paul Johnston Apr 26, 2018 10:19AM UTC Support Center agent

Hi Jackson,

Sorry, HTTP/2 is not implemented at present. It is in the plan, but it is likely to be some time until we get to it.

Manideep Jul 09, 2018 10:06AM UTC
Hello Team,

We have seen the applications running HTTP/2 applications supporting HTTP/1.1. Now, we are experiencing few applications not supporting HTTP/1.1 anymore. Expecting HTTP/2 support soon.

GWJ Nov 13, 2018 10:41AM UTC
Also getting http/2 only sites now.

Paul Johnston Nov 13, 2018 10:58AM UTC Support Center agent

Hi Gareth, thanks for letting us know about that. Can I ask: what context is this happening in? Are these intranet apps or internet-facing?

softscheck Dec 20, 2018 11:12AM UTC
We also had some internet-facing AND intranet http/2 only web apps recently. Http/2 support is really getting important now... We are also still looking forward to the websocket reply feature!

DustinC Jan 14, 2019 04:38AM UTC
Yeah, I'm running into sites that are HTTP/2 only now. Even if we started a beta version this would be helpful. Thank You.

Paul Johnston Jan 14, 2019 11:44AM UTC Support Center agent

DustinC – Can you confirm that these sites are strictly HTTP/2 only and are unable to downgrade to HTTP/1.1?

JSon.Xm Mar 18, 2019 09:18AM UTC

Websockets reply feature & HTTP/2 support will be great for all of the Burp Pro users!!!
Please consider this in your plans for 2019 :)

Best Regards.

Pentest Jun 07, 2019 04:48PM UTC
Having BurpSuite support for HTTP 2.0 would be excellent for testing IDS evasion

Post Your public answer

Your name
Your email address