Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Web Server Makers Plug Four Security Holes in HTTP/2 Protocol Implementation

$
0
0

Two Imperva researchers have worked closely with major Web server makers to plug four security vulnerabilities in the HTTP/2 protocol implementation that launched a year ago.

HTTP/2 is the next generation of the old HTTP 1.1 protocol that most of us have used most of our lives to access websites. The next-gen version of this protocol launched last year and is currently used by 9.1 percent of all websites, according to W3Techs.

The advantages of HTTP/2 is the increased speed at which it can deliver content from the server to the user.

Just like any protocol, at its base, HTTP/2 is a bunch of code that needs to be added to the source code of Web servers in order to support data transfers via HTTP/2.

Slowloris attack makes a comeback after six years

According to Imperva researchers, there were four issues in the core HTTP/2 protocol code that made its way into most HTTP/2 Web server implementations.

The first is called Slow Read and is the Slowloris attack discovered in 2010 in the HTTP/1.1 protocol, ported to the protocol's next-gen version. The Slowloris attack was a big deal in 2010 because it allowed crooks to steal data from the servers of credit card companies with low-and-slow DDoS attacks.

Imperva said it identified Slow Read attacks on HTTP/2-capable Web servers such as Apache, IIS, Jetty, NGINX and nghttp2.

The second attack is called HPACK Bomb and is an attack through which a hacker hides huge amounts of data inside ZIP files. When the server processes these files, the data quickly expands and consumes all the server's physical memory, crashing the server in most instances.

The third attack is called Dependency Cycle Attack and takes place because of the flow control mechanism introduced specifically in HTTP/2. An attacker can use this attack to make servers enter an infinite requests loop.

The fourth attack is named Stream Multiplexing Abuse and is another flaw in an HTTP/2 feature called stream multiplexing that leads to a DoS state.

Imperva: Expect more HTTP/2 flaws

Imperva researchers say there's no reason to fear these vulnerabilities if webmasters keep their servers updated up to the latest version.

Furthermore, since the protocol is still in its early versions, users, webmasters, and developers should expect a slew of more security flaws to appear until the codebase will be freed of all problems.

"New code always has flaws, some of them are similar to flaws in the old code, and some of them due to implementers not adhering to the proposed design," the Imperva team explains. "The new mechanisms, however, are disproportionately increasing the attack surface for hackers and exposing vulnerabilities, because they always include new code."


Web Server Makers Plug Four Security Holes in HTTP/2 Protocol Implementation

HTTP/2 protocol features


Viewing all articles
Browse latest Browse all 12749

Trending Articles