#data-frame

infosec

• chunkloris: actix-web (h2c) — HTTP/2 (h2c) DATA frames. actix-web (h2c) 4.x. verdict: batches correctly.
• chunkloris: aioquic HTTP/3 example-style server — HTTP/3 DATA frames over QUIC. aioquic HTTP/3 example-style server aioquic 1.3.0. verdict: vulnerable per frame.
• chunkloris: Apache httpd mod_http2 (h2c) — HTTP/2 (h2c) DATA frames. Apache httpd mod_http2 (h2c) 2.4.67. verdict: vulnerable per frame.
• chunkloris: bandit (h2c) — HTTP/2 (h2c) DATA frames. bandit (h2c) 1.11.1. verdict: vulnerable per frame.
• chunkloris: cowboy (h2c) — HTTP/2 (h2c) DATA frames. cowboy (h2c) 2.15.0 (cowlib 2.16.1, ranch 2.2.0). verdict: protected h2 goaway.
• chunkloris: falcon (h2c) — HTTP/2 (h2c) DATA frames. falcon (h2c) 0.49.0. verdict: vulnerable per frame.
• chunkloris: fastify (h2c) — HTTP/2 (h2c) DATA frames. fastify (h2c) 5.8.5. verdict: vulnerable per frame.
• chunkloris: Go net/http + golang.org/x/net/http2 (h2c) — HTTP/2 (h2c) DATA frames. Go net/http + golang.org/x/net/http2 (h2c) go 1.23 + x/net v0.30. verdict: vulnerable per frame.
• chunkloris: granian (ASGI h2c) — HTTP/2 (h2c) DATA frames. granian (ASGI h2c) 1.7.6. verdict: vulnerable per frame.
• chunkloris: HAProxy (h2c frontend) — HTTP/2 (h2c) DATA frames. HAProxy (h2c frontend) 3.0.23. verdict: vulnerable per frame.
• chunkloris: http/1 vs http/2 vs http/3 — how the per-chunk amplification shape changes (and does not change) across http/1.1 chunked transfer encoding, http/2 data frames, and http/3 data frames over quic
• chunkloris: hyper 1.5 + h2 0.4 (h2c) — HTTP/2 (h2c) DATA frames. hyper 1.5 + h2 0.4 (h2c) hyper 1.5 / h2 0.4. verdict: batches correctly.
• chunkloris: hypercorn — HTTP/2 (h2c) DATA frames. hypercorn 0.17.3. verdict: vulnerable per frame.
• chunkloris: hypercorn (HTTP/3) — HTTP/3 DATA frames over QUIC. hypercorn (HTTP/3) 0.17.3 + aioquic 1.3.0. verdict: vulnerable per frame.
• chunkloris: Kestrel (ASP.NET Core 9, h2c) — HTTP/2 (h2c) DATA frames. Kestrel (ASP.NET Core 9, h2c) 9.0. verdict: vulnerable per frame.
• chunkloris: Kestrel (ASP.NET Core 9, HTTP/3) — HTTP/3 DATA frames over QUIC. Kestrel (ASP.NET Core 9, HTTP/3) ASP.NET Core 9.0 + MsQuic. verdict: vulnerable per frame.
• chunkloris: nginx/openresty (h2c) — HTTP/2 (h2c) DATA frames. nginx/openresty (h2c) 1.29.2.3 / openresty:alpine. verdict: vulnerable per frame.
• chunkloris: node http2 (native) — HTTP/2 (h2c) DATA frames. node http2 (native) node-22. verdict: vulnerable per frame.
• chunkloris: phoenix on cowboy (h2c) — HTTP/2 (h2c) DATA frames. phoenix on cowboy (h2c) Phoenix 1.8.7 / plug_cowboy 2.8.1 / cowboy 2.15.0. verdict: protected h2 goaway.
• chunkloris: quic-go HTTP/3 — HTTP/3 DATA frames over QUIC. quic-go HTTP/3 quic-go v0.54.0. verdict: vulnerable per frame.
• chunkloris: Spring Boot + Tomcat (h2c) — HTTP/2 (h2c) DATA frames. Spring Boot + Tomcat (h2c) spring-boot-3.3.5 / tomcat-10.1. verdict: protected h2 goaway.
• chunkloris: Vert.x 4.5 (Netty h2c) — HTTP/2 (h2c) DATA frames. Vert.x 4.5 (Netty h2c) 4.5.10. verdict: batches correctly.