Black Hat: Be wary of HTTP/2 on Web servers

Imperva researchers found four flaws in how the Web protocol was implemented on popular servers

Researchers at Black Hat describe finding four flaws – now fixed - in the way the major server vendors implemented HTTP/2, but warn that the year-old Web protocol remains fertile ground for hackers seeking weaknesses in the way it’s rolled out.

+More on Network World: IRS warns on super summer scam scourge | Follow all the coverage from Black Hat +

A team at security vendor Imperva says they found nothing vulnerable about the protocol itself, but that they created distributed denial-of-service attacks that took advantage of openings left by how servers support the protocol.

Patches have been issued for all the affected servers – Microsoft IIS, Apache, Jetty, Nghttpd and Nginx – to block the exploits found by the Imperva team, said Itsik Mantin, director of security research, and Nadav Avital, application security research team lead. Businesses using the servers should make sure they are patched, they say.

Because the protocol is so new, the team thought its implementations would likely contain features that hadn’t been thoroughly vetted for security, and it turns out they were right.

HTTP/2 was designed as a follow up to HTTP that would improve the speed of building Web pages by optimizing communications between browsers and servers. That introduced a set of new and complex mechanisms, a circumstance presenting many potential attack surfaces, Mantin says.

+More on Network World: Hot products at Black Hat 2016+

The effort to find the four exploits took two researchers four months to discover, and it’s likely other researchers and malicious attackers will find more. “That’s just the four we discovered,” Avital says.

In some cases the effects of the attacks lasted as long as the attacker wanted to attack, and others the attacks were severe enough to crash the servers, Mantin says.

For example, one attack focused on a compression mechanism called HPAK used to reduce the size of packet headers. The protocol says the sender can tell the receiver the maximum size of the header compression table used to decode the headers.

The researchers created a header that was the same size as the entire compression table. Then they opened up new streams on the same connection with each stream that referred to the initial header as many times as possible. After sending 14 such streams, the connection ate up 896MB of memory, crashing the server, Mantin says.

As a side note, when the Imperva researchers reported the exploit to the team at Nghttpd, it ran it on Wireshark and Wireshark crashed. It turns out both Wireshark and the server used the same library that was susceptible, he says.

The two researchers have moved on to other projects but say they will come back to HTTP/2 implementations at a later date to see what else they can find.

Results of the research are available in a report called “HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol.”

Join the CSO newsletter!

Error: Please check your email address.

Tags black hat

More about ApacheImpervaIRSMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place