slide071514blackhatquiz1100508495orig
Security

Black Hat: Be wary of HTTP/2 on Web servers

Researchers at Black Hat describe finding four flaws – now fixed - in the way the major server vendors implemented HTTP/2, but warn that the year-old Web protocol remains fertile ground for hackers seeking weaknesses in the way it’s rolled out.

+More on Network World: IRS warns on super summer scam scourge | Follow all the coverage from Black Hat +

A team at security vendor Imperva says they found nothing vulnerable about the protocol itself, but that they created distributed denial-of-service attacks that took advantage of openings left by how servers support the protocol.

Patches have been issued for all the affected servers – Microsoft IIS, Apache, Jetty, Nghttpd and Nginx – to block the exploits found by the Imperva team, said Itsik Mantin, director of security research, and Nadav Avital, application security research team lead. Businesses using the servers should make sure they are patched, they say.

Because the protocol is so new, the team thought its implementations would likely contain features that hadn’t been thoroughly vetted for security, and it turns out they were right.

HTTP/2 was designed as a follow up to HTTP that would improve the speed of building Web pages by optimizing communications between browsers and servers. That introduced a set of new and complex mechanisms, a circumstance presenting many potential attack surfaces, Mantin says.

+More on Network World: Hot products at Black Hat 2016+

The effort to find the four exploits took two researchers four months to discover, and it’s likely other researchers and malicious attackers will find more. “That’s just the four we discovered,” Avital says.

In some cases the effects of the attacks lasted as long as the attacker wanted to attack, and others the attacks were severe enough to crash the servers, Mantin says.

For example, one attack focused on a compression mechanism called HPAK used to reduce the size of packet headers. The protocol says the sender can tell the receiver the maximum size of the header compression table used to decode the headers.

The researchers created a header that was the same size as the entire compression table. Then they opened up new streams on the same connection with each stream that referred to the initial header as many times as possible. After sending 14 such streams, the connection ate up 896MB of memory, crashing the server, Mantin says.

As a side note, when the Imperva researchers reported the exploit to the team at Nghttpd, it ran it on Wireshark and Wireshark crashed. It turns out both Wireshark and the server used the same library that was susceptible, he says.

The two researchers have moved on to other projects but say they will come back to HTTP/2 implementations at a later date to see what else they can find.

Results of the research are available in a report called “HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol.”

IDG Insider

PREVIOUS ARTICLE

« How tech's all-stars are playing the Olympics

NEXT ARTICLE

Toshiba raises SSD storage capacity to 7.68TB »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?