Researchers have discovered a number of security issues related to the new HTTP/2 protocol which could place millions of websites at risk of attack.
On Wednesday at Black Hat USA, cybersecurity firm Imperva released new research into a number of high-profile flaws found within the latest version of HTTP, HTTP/2, which underpins the worldwide web’s underlying protocols and communication systems.
The report, HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol (.PDF), details four main vulnerabilities and attack vectors related to HTTP/2, of which adoption is steadily increasing.
According to W3Techs, 8.7 percent of all websites — roughly 85 million — have adopted the new standard, which is meant to improve how browsers and servers communicate, speeding up the online experience.
The attack vectors discovered include:
- Slow read: The attack calls on a malicious client to read responses very slowly — identical to the Slowloris DDoS attack which hit financial institutions in 2010 — and despite slow read attacks being well-known in the HTTP ecosystem, they are still effective in the latest evolution of the web protocol. However, this time, they take place in the application layer of HTTP/2 implementations. Variants of this vulnerability have been discovered across Apache, IIS, Jetty, NGINX and nghttp2.
- HPACK Bomb: The researchers say this attack resembles a “zip bomb,” a malicious archive file designed to crash the program or system reading it and often used to disable antivirus software. Small and innocent-looking messages explode into gigabytes of a data on a server, siphoning away all server memory resources and effectively taking it offline.
- Dependency Cycle attack: HTTP/2 introduced a new flow control mechanism designed to optimize networks. However, the mechanism can be exploited should an attacker craft requests which create a dependency cycle — creating an infinite loop which cannot be escaped when the flow control system attempts to process these requests.
- Stream Multiplexing Abuse: The final main issue emerges when attackers use security flaws present in how servers implement stream multiplexing functionality. These bugs can crash servers, resulting in a denial of service to legitimate users.
“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva.
“However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers,” Shulman added. “While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”
In related news, at Black Hat, Rapid7 security researcher Weston Hacker demonstrated a $6 tool which can be used to compromise and break into keycard-based hotel rooms.