Two first-gen flaws carried over to HTTP/2, warn security bods

Black Hat Security researchers have unearthed four high-profile vulnerabilities in HTTP/2, a new version of the protocol.

HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure, according to a study by researchers at data centre security vendor Imperva and released at the Black Hat conference on Wednesday.

Imperva’s researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2.

The team discovered exploitable vulnerabilities in all major HTTP/2 implementations that it reviewed, including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x.

The quartet of HTTP/2 attack vectors include:

• Slow Read – An attacker could use a malicious client to read responses very slowly, creating a traffic jam in the process using the same mechanism as the well-known Slowloris DDoS attack, released in 2009 and thrown against major credit card processors back in 2010. Security flaws in the application layer of HTTP/2 implementations make the attack possible. The Imperva team picked up variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
• HPACK Bomb – This compression-layer attack resembles a zip bomb attack. A potential hacker crafts small and seemingly innocent messages, which unpack into gigs of data on the server-side, consuming memory resources so as to slow down or crash targeted systems.
• Dependency Cycle Attack – The attack subverts the flow control mechanisms that HTTP/2 introduced for network optimisation. A malicious client crafts requests that induce a dependency cycle, forcing the server into an infinite loop as it tries to process these dependencies.
• Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash systems.

“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva. “However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”

HTTP/2 adoption is picking up pace. According to W3Techs, 8.7 per cent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 per cent in December 2015.

Implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to protect their critical data and applications from cyber attack while introducing HTTP/2, according to Imperva ( leading supplier of WAF technology).

More details of Imperva’s research are here (pdf) (infographic here). ®