h2c-websocket-smuggling

Official

Bypass proxy ACLs via H2C/WebSocket tunneling.

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill solves the problem of reverse proxies blocking access to internal backend paths and standard HTTP request smuggling techniques (CL.TE, TE.CL, TE.0) failing due to consistent body parsing between the proxy and backend server.

Core Features & Use Cases

  • H2C Smuggling: Exploit proxy forwarding of HTTP/2 cleartext (H2C) upgrade headers to establish a direct tunnel to the backend, bypassing path-based access control lists, WAF rules, and proxy-layer authentication checks.
  • WebSocket Smuggling: Leverage misconfigured WebSocket handshake validation (invalid version handling or SSRF-triggered health checks) to open persistent TCP tunnels to internal backend services.
  • Use Case: When testing a web application behind a reverse proxy that blocks access to internal admin endpoints, use this Skill to establish a direct connection to the backend server and access restricted resources that are not exposed via the proxy's configured paths.

Quick Start

Use the h2c-websocket-smuggling skill to test if the target reverse proxy forwards H2C upgrade headers and establish a tunnel to access blocked internal backend paths.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: h2c-websocket-smuggling
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#h2c-websocket-smuggling

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.