pwneglyph logo

Note

web http http3 quic recon

Reach a service that is intentionally only available over QUIC/HTTP3 even though a normal TCP HTTP probe looks dead.

Service Hidden Behind HTTP/3 / QUIC

Some challenge services are intentionally reachable only over QUIC/HTTP3 even though a normal TCP HTTP probe looks dead.

Why It Works

  • HTTP/3 runs over UDP/QUIC; a TCP-only probe never touches it, so the port appears closed or empty.

Vulnerable Pattern

  • Ports that appear closed/empty over HTTP/1.1 but are hinted to be "cache" or edge services.

Exploit Flow

  1. If a host looks weirdly dead on TCP, check whether the description or surrounding infra hints at UDP or HTTP/3.
  2. Use a client with explicit --http3 support and probe the same hostname/port again.

Common Blockers

  • Outdated curl, missing QUIC support locally, or probing the wrong port/protocol pair.

PoC Sketch

curl --http3-only https://target:4433/
curl --http3 https://target:port/

Good Situations To Use It

  • A host looks dead over TCP HTTP.
  • The challenge hints at cache/edge/UDP services.
  • Your client supports HTTP/3.

Sources

  • marshack2026/web/quick_start