HTTP2After being launched in May of last year, many people have been under the impression that the HTTP/2 is more secure than the more common HTTP. Google even started bundling it with its SPDY protocol in an effort to speed up web surfing. Unfortunately, data security researchers at Imperva have published a report outlining four major vulnerabilities in HTTP/2 that could allow hackers to do everything from putting servers in an infinite loop to outright crashing them.

HTTP/2 consists of three distinct layers. First, there’s a transmission layer that handles things like streams and flow control. The second layer is the HPACK binary encoding and compression protocol. Lastly, there’s the semantic layer, which is basically a version of HTTP/1.1 with the addition of server-push capabilities.

With that in mind here are the four flaws that have been found:

  1. Slow Read. You may have heard of the Slowloris DDos attack on major credit processors in 2010. As it turns out, a variation of the attack that involves a malicious client very slowly reading responses has been found on virtually all of the most popular web servers.
  2. HPACK Bomb. Similar to a zip bomb or decompression bomb, an HPACK bomb is a compression layer attack that essentially involves sending a message that appears to be small, but unpacks to be gigabytes worth of data. All that information takes up all the available server memory resources and either slows it down or causes it to crash outright.
  3. Dependency Cycle Attack. By taking advantage of HTTP/2’s control mechanisms for network optimization, it’s possible for hackers to use special requests to create an infinite loop that can be used in a DoS attack.
  4. Stream Multiplexing. This another DoS attack vector that involves crashing a server by taking advantage of the stream multiplexing functionality.

Fortunately, Imperva researchers have offered a fix. By using a web application firewall with virtual patching capabilities it’s possible to mitigate so of the possibility of attack.

Comments are closed.