HTTP/2 Attacks

What Are HTTP/2 Attacks?

HTTP/2 introduces new attack surfaces when reverse proxies forward protocol-upgrade headers to backend services. H2C (HTTP/2 Cleartext) smuggling allows attackers to establish a direct HTTP/2 connection to the backend, bypassing all proxy-layer security controls.

How It Works

H2C Smuggling

GET / HTTP/1.1
Host: target.com
Upgrade: h2c
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
Connection: Upgrade, HTTP2-Settings

If the reverse proxy forwards this upgrade request to the backend:

1. The backend accepts the HTTP/2 upgrade (returns 101 Switching Protocols)
2. The connection is now a raw HTTP/2 tunnel to the backend
3. All subsequent requests bypass the proxy entirely — no auth checks, no rate limits, no WAF

CONNECT Tunneling

CONNECT internal-api.local:8080 HTTP/1.1
Host: target.com

If the server accepts CONNECT, the attacker can tunnel requests to internal services that should never be accessible from the internet.

Real-World Impact

• Authentication bypass — proxy-enforced auth headers are never checked
• Rate limit evasion — proxy rate limits don't apply to the direct tunnel
• Internal service access — reach admin panels, databases, or APIs behind the proxy
• WAF bypass — all security rules applied at the proxy layer are skipped

How to Fix

Strip Upgrade headers at the proxy:

proxy_set_header Upgrade "";
proxy_set_header Connection "";

Reject CONNECT method at the web server level.

Disable H2C support on backends unless explicitly required.

What VibeWShield Detects

VibeWShield's HTTP/2 scanner sends an Upgrade: h2c request and checks for 101 Switching Protocols or h2c in response headers. It also tests the CONNECT method. Only 1-2 requests total — no actual smuggling is performed.