一键导入
http2-header-impersonation
Spoof HTTP/2 SETTINGS frames and pseudo-header order per browser profile.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Spoof HTTP/2 SETTINGS frames and pseudo-header order per browser profile.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | http2-header-impersonation |
| description | Spoof HTTP/2 SETTINGS frames and pseudo-header order per browser profile. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires python3, pip |
| metadata | {"tags":["recon","HTTP2","headers","fingerprint","impersonation","browser","JA4"],"category":"recon","related_skills":["tls-fingerprint-impersonation","stealth-browser-launch"]} |
Spoof HTTP/2 SETTINGS frames, pseudo-header ordering, and browser-specific HTTP headers to match real browsers at the protocol level. Targets the detection gap between TLS fingerprinting (ClientHello) and JavaScript fingerprinting — the HTTP/2 connection setup and header structure that anti-bot systems analyze. Matches Chrome, Firefox, Safari iOS, and OkHttp (Android) profiles with exact window sizes, header list limits, and header ordering.
sec-ch-ua, Accept, Accept-Encoding, Priority, and sec-fetch-* headers.terminal tool with python3.pip install impit (includes HTTP/2 impersonation via patched h2 library).# Check if target sends different responses based on HTTP headers
# Compare browser-like headers vs curl defaults
python3 -c "
import requests
# curl default headers
r1 = requests.get('https://target.com')
print(f'Default: {r1.status_code}')
# Browser-like headers
r2 = requests.get('https://target.com', headers={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.9',
'Accept-Encoding': 'gzip, deflate, br, zstd',
'sec-ch-ua': '\"Chromium\";v=\"142\", \"Google Chrome\";v=\"142\"',
'sec-ch-ua-platform': '\"Windows\"',
'sec-ch-ua-mobile': '?0',
})
print(f'Browser: {r2.status_code}')
"
The impit library applies HTTP/2 SETTINGS, pseudo-header order, and HTTP headers from a single profile:
from impit import Impit
# Chrome 142 — complete HTTP/2 + TLS + headers profile
impit = (
Impit.builder()
.with_fingerprint("chrome142")
.build()
)
response = impit.get("https://target.com")
# Headers sent: sec-ch-ua, User-Agent, Accept, Accept-Encoding, Accept-Language,
# sec-ch-ua-platform, sec-ch-ua-mobile, Priority, sec-fetch-*
# HTTP/2 SETTINGS: stream_window=6291456, conn_window=15663105, max_header=262144
# Pseudo-header order: :method :authority :scheme :path :protocol :status
For curl/httpx without impit, configure headers manually to match browser profiles:
curl -sk "https://target.com" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Accept-Encoding: gzip, deflate, br, zstd" \
-H "sec-ch-ua: \"Chromium\";v=\"142\", \"Google Chrome\";v=\"142\", \"Not?A_Brand\";v=\"99\"" \
-H "sec-ch-ua-arch: \"x86\"" \
-H "sec-ch-ua-bitness: \"64\"" \
-H "sec-ch-ua-full-version-list: \"Chromium\";v=\"142.0.7444.176\", \"Google Chrome\";v=\"142.0.7444.176\", \"Not?A_Brand\";v=\"99.0.0.0\"" \
-H "sec-ch-ua-mobile: ?0" \
-H "sec-ch-ua-model: \"\"" \
-H "sec-ch-ua-platform: \"Windows\"" \
-H "sec-ch-ua-platform-version: \"15.0.0\"" \
-H "sec-ch-ua-wow64: ?0" \
-H "sec-fetch-dest: document" \
-H "sec-fetch-mode: navigate" \
-H "sec-fetch-site: none" \
-H "sec-fetch-user: ?1" \
-H "Upgrade-Insecure-Requests: 1" \
-H "Priority: u=0, i"
curl -sk "https://target.com" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept-Encoding: gzip, deflate, br, zstd" \
-H "sec-ch-ua: \"Firefox\";v=\"144\", \"Not?A_Brand\";v=\"99\"" \
-H "sec-ch-ua-mobile: ?0" \
-H "sec-ch-ua-platform: \"Windows\"" \
-H "sec-fetch-dest: document" \
-H "sec-fetch-mode: navigate" \
-H "sec-fetch-site: none" \
-H "sec-fetch-user: ?1" \
-H "TE: trailers" \
-H "Upgrade-Insecure-Requests: 1" \
-H "Priority: u=0, i"
curl -sk "https://target.com" \
-H "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.7 Mobile/15E148 Safari/604.1" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Accept-Encoding: gzip, deflate, br" \
-H "sec-fetch-dest: document" \
-H "sec-fetch-mode: navigate" \
-H "sec-fetch-site: none"
curl -sk "https://target.com" \
-H "User-Agent: okhttp/4.12.0" \
-H "Accept: application/json, text/plain, */*" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Accept-Encoding: gzip, deflate, br" \
-H "Connection: Keep-Alive"
HTTP/2 SETTINGS frames are sent during connection setup. curl doesn't expose them — use impit or a patched HTTP client:
from impit import Impit
# Chrome HTTP/2 SETTINGS:
# SETTINGS_MAX_CONCURRENT_STREAMS: 1000
# SETTINGS_INITIAL_WINDOW_SIZE: 6291456
# SETTINGS_MAX_HEADER_LIST_SIZE: 262144
# Firefox HTTP/2 SETTINGS:
# SETTINGS_MAX_CONCURRENT_STREAMS: 125
# SETTINGS_INITIAL_WINDOW_SIZE: 131072
impit = Impit.builder().with_fingerprint("chrome142").build()
response = impit.get("https://target.com")
Browsers send HTTP/2 pseudo-headers in specific orders. This is enforced at the h2 library level:
| Browser | Pseudo-Header Order |
|---|---|
| Chrome | :method, :authority, :scheme, :path, :protocol, :status |
| Firefox | :method, :path, :authority, :scheme, :protocol, :status |
| Safari iOS | :method, :scheme, :authority, :path, :protocol, :status |
| OkHttp | :method, :path, :authority, :scheme, :protocol, :status |
Detection: Some reverse proxies inspect pseudo-header order to distinguish browsers. Firefox places :path before :authority — a unique fingerprint. Safari places :scheme second — another differentiator.
Custom headers take priority over fingerprint defaults to avoid conflicts:
impit = Impit.builder().with_fingerprint("chrome142").build()
# Custom headers WIN over fingerprint defaults for same header name
response = impit.get("https://target.com", headers={
"Authorization": "Bearer custom-token",
"X-Custom-Header": "value",
})
# Authorization is added; all fingerprint headers still applied for unset names
Browser Accept-Encoding values differ significantly:
| Browser | Accept-Encoding |
|---|---|
| Chrome 142 | gzip, deflate, br, zstd |
| Chrome 100-116 | gzip, deflate, br |
| Firefox | gzip, deflate, br, zstd |
| Safari iOS | gzip, deflate, br |
| OkHttp 4 | gzip, deflate, br |
Detection: Some CDNs return different content based on Accept-Encoding (brotli vs zstd capability profiling). Match encoding capabilities to your target browser.
sec-ch-ua must match User-Agent. Using Chrome headers with Firefox UA creates an inconsistency that detectors flag.sec-ch-ua format is version-specific. Chrome 100+ uses different brand strings than Chrome 124+.User-Agent as custom overrides the fingerprint's User-Agent.https://httpbin.org/headers — verify all sent headers match the intended browser profile.https://nghttp2.org/httpbin/headers or a local nghttp2 server.cf-ja4 header — it encodes HTTP/2 fingerprint along with TLS.tls-fingerprint-impersonation — TLS ClientHello and JA3/JA4 fingerprint spoofing.stealth-browser-launch — Full browser automation with C++ fingerprint patches.