LAS VEGAS, Nevada. Imperva, Inc. (NYSE: IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today released its new Hacker Intelligence Initiative (HII) Report: “HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol” at Black Hat USA 2016. In the report, researchers at the Imperva Defense Center document four high-profile vulnerabilities in HTTP/2 – the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web.
HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks. Imperva Defense Center researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The team discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x. It is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.
“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva. “However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”
The threats are especially concerning given the rapid adoption of HTTP/2. According to W3Techs, 8.7 percent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 percent in December 2015.
The four high-profile attack vectors found by the Imperva researchers include1:
- Slow Read – The attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. It is worth noting that despite Slow Read attacks being well-studied in the HTTP/1.x ecosystem, they are still effective – this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
- HPACK Bomb – This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.
- Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
- Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.
While new technology brings advancements, it also introduces new risks. When adopting technology such as HTTP/2, it is imperative that companies remain vigilant to the possibility of new areas of exposure and attack. Implementing a web application firewall (WAF) with virtual patching capabilities can help businesses protect their critical data and applications from cyber attack.