When Burp/ZAP Miss Traffic: Debugging HTTP/2 Issues in a Web App

Introduction

During security assessment, I encountered a confusing issue:

  • Most applications routed traffic through my proxy (Burp/ZAP) without problems
  • But one specific subdomain completely bypassed interception
  • The application either froze or behaved as if there was no internet

At first glance, it looked like a proxy misconfiguration or even SSL pinning.

It wasn't.

This post explains what actually happened, how I debugged it, and how to fix it.

The Setup

  • Browser: Firefox
  • Proxy: Burp Suite / OWASP ZAP
  • Target: Web application
  • Architecture: Reverse proxy + API Gateway

Symptoms:

  • UI loads partially or freezes
  • Reload shows "No Internet"
  • No requests appear in proxy history

Initial Hypotheses (All Wrong)

At first, I considered:

  • Proxy misconfiguration
  • DNS issues
  • WAF blocking requests
  • SSL pinning

But these didn't make sense because:

  • Other apps worked fine
  • Both Burp and ZAP failed in the same way
  • The issue was isolated to a single subdomain

The Breakthrough

Looking at the response headers revealed the clue:

server: openresty
X-Firefox-Spdy: h2

Key insight:

The application was using HTTP/2 (h2)

Root Cause

Firefox was communicating with the application over HTTP/2, while Burp/ZAP primarily intercept HTTP/1.1 traffic.

In this setup:

  • The browser prefers HTTP/2
  • The gateway enforces HTTP/2 behavior
  • The proxy cannot properly intercept or handle the flow

Result:

  • Traffic never reaches Burp/ZAP properly
  • The application fails to initialize
  • The UI appears frozen

The Fix

Disable HTTP/2 in Firefox.

Steps:

Open:

about:config

Search for:

network.http.spdy.enabled.http2

Set it to:

false

Also disable:

network.http.spdy.enabled
None

Restart Firefox

Result

After disabling HTTP/2:

  • Traffic appeared in Burp
  • API calls were visible
  • The application functioned normally under interception

Why This Matters

This isn't just a "tool issue." It has real security implications:

  • Intercepting proxies may miss traffic under HTTP/2
  • Security testing can become incomplete
  • Critical API calls may go uninspected

In environments using API gateways, this becomes more common.

Key Takeaways

  • If one app bypasses your proxy while others don't, think protocol differences
  • HTTP/2 can interfere with interception tools
  • Always inspect response headers for clues
  • Don't assume SSL pinning in browser-based apps
  • Disabling HTTP/2 can restore visibility quickly

Final Thoughts

Modern web architectures (gateways, HTTP/2, microservices) introduce subtle challenges for security testing.

Understanding how protocol layers interact with your tools is just as important as finding vulnerabilities.