# <img src="https://github.com/nxenon/h2spacex/assets/61124903/fd6387bf-15e8-4a5d-816b-cf5e079e07cc" width="20%" valign="middle" alt="H2SpaceX" /> H2SpaceX
[](https://pypi.org/project/h2spacex/)
[](https://www.python.org)
[](https://github.com/nxenon/h2spacex/blob/main/LICENSE)
HTTP/2 low level library based on Scapy which can be used for Single Packet Attack (Race Condition on H2)
# Dive into Single Packet Attack Article
I wrote an article and published it at InfoSec Write-ups:
- [Dive into Single Packet Attack](https://infosecwriteups.com/dive-into-single-packet-attack-3d3849ffe1d2)
# TODO
- [Single Packet Attack - POST](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples)
- [x] implement
- [Single Packet Attack - GET](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods)
- [x] Content-Length: 1 Method
- [x] POST Request with x-override-method: GET header
- Response Parsing
- [x] implement
- [x] implement threaded response parser
- [x] add response times in nano seconds for timing attacks
- [x] Body Decompression
- [x] gzip
- [x] br
- [x] deflate
- [Proxy](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples#proxy-example)
- [x] Socks5 Proxy
# More Research
Some following statements are just ideas and not tested or implemented.
- More Request in a Single Packet
- Increase MSS (Idea by James Kettle)
- Out of Order TCP Packets (Idea by James Kettle)
- IP Fragmentation
- Proxy the Single Packet Request through SOCKS
- Single Packet Attack on GET Requests
- [Content-Length: 1 Method](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods) (Idea by James Kettle)
- [x-override-method: GET](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods) Method (Idea by James Kettle)
- Index HPACK Headers to Make GET Requests Smaller
- HEADERS Frame without END_HEADER Flag
- HEADERS Frame Without Some Pseudo Headers
# Installation
H2SpaceX works with Python 3 (preferred: >=3.10)
pip install h2spacex
## Error in Installation
if you get errors of scapy:
pip install --upgrade scapy
# Quick Start
You can import the HTTP/2 TLS Connection and set up the connection. After setting up the connection, you can do other things:
```python
from h2spacex import H2OnTlsConnection
h2_conn = H2OnTlsConnection(
hostname='http2.github.io',
port_number=443,
ssl_log_file_path="PATH_TO_SSL_KEYS.log" # optional (if you want to log ssl keys to read the http/2 traffic in wireshark)
)
h2_conn.setup_connection()
...
```
see more examples in [Wiki Page](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples)
# Examples
See examples which contain some Portswigger race condition examples.
[Examples Page](./examples)
# Enhanced Single Packet Attack Method (Black Hat 2024) for Timing Attacks
James Kettle introduced an improved version of Single Packet Attack in Black Hat 2024 for timing attacks:
You can implement this method easily using `send_ping_frame()` method.
See this Wiki and `Parse Response (Threaded) + Response Times for Timing Attacks` part:
- [New Method README (WIKI)](https://github.com/nxenon/h2spacex/wiki/SPA-New-Method)
[Improved Version of SPA Sample Exploit](./examples/improved-spa-method.py)
## Reference of Improved Method:
- [Listen to the whispers: web timing attacks that actually work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
# References & Resources
- [James Kettle DEF CON 31 Presentation](https://youtu.be/tKJzsaB1ZvI?si=6uAuzOt3wjnEGYP6)
- [Portswigger Research Page](https://portswigger.net/research/smashing-the-state-machine#single-packet-attack)
- [HTTP/2 in Action Book](https://www.manning.com/books/http2-in-action)
I also got some ideas from a previous developed library [h2tinker](https://github.com/kspar/h2tinker).
Finally, thanks again to James Kettle for directly helping and pointing some other techniques.
Raw data
{
"_id": null,
"home_page": "https://github.com/nxenon/h2spacex",
"name": "h2spacex",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8.8",
"maintainer_email": null,
"keywords": "race-condition, http2, single-packet-attack",
"author": "nxenon",
"author_email": "nxenon <nasiri.aminm@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/d0/05/d6837e9d657da3ed823b355465a1bc5e342e37a121fc1397c860a1471ef1/h2spacex-1.2.0.tar.gz",
"platform": null,
"description": "# <img src=\"https://github.com/nxenon/h2spacex/assets/61124903/fd6387bf-15e8-4a5d-816b-cf5e079e07cc\" width=\"20%\" valign=\"middle\" alt=\"H2SpaceX\" /> H2SpaceX\r\n\r\n[](https://pypi.org/project/h2spacex/)\r\n[](https://www.python.org)\r\n[](https://github.com/nxenon/h2spacex/blob/main/LICENSE)\r\n\r\nHTTP/2 low level library based on Scapy which can be used for Single Packet Attack (Race Condition on H2)\r\n\r\n# Dive into Single Packet Attack Article\r\nI wrote an article and published it at InfoSec Write-ups:\r\n- [Dive into Single Packet Attack](https://infosecwriteups.com/dive-into-single-packet-attack-3d3849ffe1d2)\r\n\r\n# TODO\r\n- [Single Packet Attack - POST](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples)\r\n - [x] implement\r\n- [Single Packet Attack - GET](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods)\r\n - [x] Content-Length: 1 Method\r\n - [x] POST Request with x-override-method: GET header\r\n- Response Parsing\r\n - [x] implement\r\n - [x] implement threaded response parser\r\n - [x] add response times in nano seconds for timing attacks\r\n - [x] Body Decompression\r\n - [x] gzip\r\n - [x] br\r\n - [x] deflate\r\n- [Proxy](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples#proxy-example)\r\n - [x] Socks5 Proxy\r\n\r\n# More Research\r\nSome following statements are just ideas and not tested or implemented.\r\n\r\n- More Request in a Single Packet\r\n - Increase MSS (Idea by James Kettle)\r\n - Out of Order TCP Packets (Idea by James Kettle)\r\n - IP Fragmentation\r\n- Proxy the Single Packet Request through SOCKS\r\n- Single Packet Attack on GET Requests\r\n - [Content-Length: 1 Method](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods) (Idea by James Kettle)\r\n - [x-override-method: GET](https://github.com/nxenon/h2spacex/wiki/GET-SPA-Methods) Method (Idea by James Kettle)\r\n - Index HPACK Headers to Make GET Requests Smaller\r\n - HEADERS Frame without END_HEADER Flag\r\n - HEADERS Frame Without Some Pseudo Headers\r\n\r\n# Installation\r\nH2SpaceX works with Python 3 (preferred: >=3.10)\r\n\r\n pip install h2spacex\r\n\r\n\r\n## Error in Installation\r\nif you get errors of scapy:\r\n\r\n\r\n pip install --upgrade scapy\r\n\r\n\r\n# Quick Start\r\nYou can import the HTTP/2 TLS Connection and set up the connection. After setting up the connection, you can do other things:\r\n\r\n```python\r\nfrom h2spacex import H2OnTlsConnection\r\n\r\nh2_conn = H2OnTlsConnection(\r\n hostname='http2.github.io',\r\n port_number=443,\r\n ssl_log_file_path=\"PATH_TO_SSL_KEYS.log\" # optional (if you want to log ssl keys to read the http/2 traffic in wireshark)\r\n)\r\n\r\nh2_conn.setup_connection()\r\n...\r\n```\r\nsee more examples in [Wiki Page](https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples)\r\n\r\n# Examples\r\nSee examples which contain some Portswigger race condition examples.\r\n\r\n[Examples Page](./examples)\r\n\r\n# Enhanced Single Packet Attack Method (Black Hat 2024) for Timing Attacks\r\nJames Kettle introduced an improved version of Single Packet Attack in Black Hat 2024 for timing attacks:\r\n\r\n\r\n\r\nYou can implement this method easily using `send_ping_frame()` method.\r\n\r\nSee this Wiki and `Parse Response (Threaded) + Response Times for Timing Attacks` part:\r\n- [New Method README (WIKI)](https://github.com/nxenon/h2spacex/wiki/SPA-New-Method)\r\n\r\n[Improved Version of SPA Sample Exploit](./examples/improved-spa-method.py)\r\n## Reference of Improved Method:\r\n- [Listen to the whispers: web timing attacks that actually work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)\r\n\r\n# References & Resources\r\n\r\n- [James Kettle DEF CON 31 Presentation](https://youtu.be/tKJzsaB1ZvI?si=6uAuzOt3wjnEGYP6)\r\n- [Portswigger Research Page](https://portswigger.net/research/smashing-the-state-machine#single-packet-attack)\r\n- [HTTP/2 in Action Book](https://www.manning.com/books/http2-in-action)\r\n\r\nI also got some ideas from a previous developed library [h2tinker](https://github.com/kspar/h2tinker).\r\n\r\nFinally, thanks again to James Kettle for directly helping and pointing some other techniques.\r\n",
"bugtrack_url": null,
"license": "GPL-3.0",
"summary": "HTTP/2 Single Packet Attack low level library based on Scapy",
"version": "1.2.0",
"project_urls": {
"Bug Tracker": "https://github.com/nxenon/h2spacex/issues",
"Examples": "https://github.com/nxenon/h2spacex/wiki/Quick-Start-Examples",
"Homepage": "https://github.com/nxenon/h2spacex",
"Wiki": "https://github.com/nxenon/h2spacex/wiki"
},
"split_keywords": [
"race-condition",
" http2",
" single-packet-attack"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "e7b8589b6208500fcb873c4c53463759d85170cc1b766312dcfdd5b05a0d5e13",
"md5": "cee285ccaeedac74f9c7d1201d0ec1d4",
"sha256": "de71725ae322238b2dd96087e13fa3f8da5538cfd1e25600661d5170c2fdf0e3"
},
"downloads": -1,
"filename": "h2spacex-1.2.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "cee285ccaeedac74f9c7d1201d0ec1d4",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8.8",
"size": 24435,
"upload_time": "2024-11-05T11:54:22",
"upload_time_iso_8601": "2024-11-05T11:54:22.994333Z",
"url": "https://files.pythonhosted.org/packages/e7/b8/589b6208500fcb873c4c53463759d85170cc1b766312dcfdd5b05a0d5e13/h2spacex-1.2.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d005d6837e9d657da3ed823b355465a1bc5e342e37a121fc1397c860a1471ef1",
"md5": "da598b5b283902ae3a8e6fc277c5c8b2",
"sha256": "46c1767fd7d9ae48a158da137b95a02ac59ae9e6b16ea994173e136d6bce5f6a"
},
"downloads": -1,
"filename": "h2spacex-1.2.0.tar.gz",
"has_sig": false,
"md5_digest": "da598b5b283902ae3a8e6fc277c5c8b2",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8.8",
"size": 25165,
"upload_time": "2024-11-05T11:54:24",
"upload_time_iso_8601": "2024-11-05T11:54:24.460949Z",
"url": "https://files.pythonhosted.org/packages/d0/05/d6837e9d657da3ed823b355465a1bc5e342e37a121fc1397c860a1471ef1/h2spacex-1.2.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-05 11:54:24",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "nxenon",
"github_project": "h2spacex",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "h2spacex"
}
JSON
