Hacking HTTP/2 - New Attacks on the Internet's Next Generation Foundation

Presented at Black Hat Asia 2017, March 30, 2017, 5 p.m. (30 minutes)

HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks. <br> <br> In order to allow complex web content delivery scenarios, which are typical with the modern web, HTTP/2 provides flexibility to clients and servers in how to transmit and process content. However, when replacing a legitimate client or server with malicious entities, this flexibility is translated into an extensive attack surface which creates new classes of vulnerabilities. <br> <br> In the presentation, we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in details several serious zero-day vulnerabilities, such as CVE-2016-1546 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.

Presenters:

• Nadav Avital - Security Research Team Leader, Imperva
  Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds a B.Sc. in Computer Science.

Links:

• https://www.blackhat.com/asia-17/briefings/schedule/#hacking-http2---new-attacks-on-the-internets-next-generation-foundation-5155
• https://www.youtube.com/watch?v=kM8cc0kB21s

Similar Presentations:

• Black Hat Europe 2021 / HTTP/2: The Sequel is Always Worse
• AppSec USA 2017 / Passive Fingerprinting of HTTP/2 Clients
• DEF CON 24 (2016) / Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about