HTTP2 Server Test Suite Data Sheet
Test Suite:
HTTP2 Server Test Suite
Direction:
Server

Hypertext Transfer Protocol 2 (HTTP/2) is an application-level protocol for distributed collaborative hypermedia information systems. This test suite can be used to test HTTP/2 Server implementations for security flaws and robustness problems. HTTP/2 is successor of HTTP. HTTP/2 has similar headers as HTTP/1.1, but headers have binary packing and values can be Huffman encoded. Biggest changes in HTTP/2 compared to HTTP/1.1 is that the protocol is binary instead of ASCII and supports multiple streams.

Used specifications

Specification
Title
Notes
RFC2068
Hypertext Transfer Protocol -- HTTP/1.1
Only Link header
RFC2617
HTTP Authentication: Basic and Digest Access Authentication
RFC3986
Uniform Resource Identifier (URI): Generic Syntax
RFC5322
Internet Message Format
FROM header mailbox specification only.
RFC5646
Tags for Identifying Languages
RFC5789
PATCH Method for HTTP
RFC5987
Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters
RFC6265
HTTP State Management Mechanism
Anomalization only
RFC6266
Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)
Anomalization only
RFC6797
HTTP Strict Transport Security (HSTS)
Anomalization only
RFC6874
Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers
RFC7230
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
RFC7231
Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
RFC7232
Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests
RFC7233
Hypertext Transfer Protocol (HTTP/1.1): Caching
RFC7234
Hypertext Transfer Protocol (HTTP/1.1): Range Requests
RFC7235
Hypertext Transfer Protocol (HTTP/1.1): Authentication
RFC7540
Hypertext Transfer Protocol Version 2 (HTTP/2)
HTTP/2 main specification
RFC7541
HPACK: Header Compression for HTTP/2
HTTP/2 main specification
An HTTP/2 Extension for Bidirectional Message Communication
draft-xie-bidirectional-messaging-02
HTTP/2 extension

Tool-specific information

Tested messages
Specifications
Notes
0x00 - Data
RFC7540
0x01 - Headers
RFC7540
0x02 - Priority
RFC7540
0x03 - Reset Stream
RFC7540
0x04 - Settings
RFC7540
0x05 - Push Promise
RFC7540
0x06 - Ping
RFC7540
0x07 - Go Away
RFC7540
0x08 - Window Update
RFC7540
0x09 - Continuation
RFC7540
0xFB - XHEADERS
draft-xie-bidirectional-messaging-02
HTTP/2 Extension

Supported features
Specifications
Notes
HTTP/2 over TCP
RFC7540
HTTP/2 over TCP (h2c).
HTTP/2 over TLS
RFC7540
HTTP/2 over TLS (h2).
Basic Authentication
RFC2617
HTTP Basic Authentication mechanism.
Digest Access Authentication
RFC2617
HTTP Digest Access Authentication mechanism.
Huffman encoding
RFC7541
HPACK Huffman encoding for HTTP/2 Literal Header values.
Identity content encoding
RFC2616
Default non-encoded data format for HTTP content.
Deflate content encoding
RFC1951
DEFLATE compressed data format for HTTP content.
GZIP content encoding
RFC1952
GZIP file format compression method for HTTP content.

Unsupported features
Specifications
Notes
HTTP/1.x Upgrade to HTTP/2 connection
RFC7540
Upgrading connection from HTTP/1.x to HTTP/2. HTTP/1.x messages aren't supported.
Web applications over HTTP/2
RFC7540
Suite doesn't support fuzzing web application specific logic over HTTP/2.
HPACK Dynamic table memory
RFC7541
Suite doesn't keep track of HPACK dynamic table indexes.

Supported SafeGuard Checks

Information leakage

Remote execution

Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis
Contact Us
©2025 Black Duck Software, Inc. All Rights Reserved