Presented at
Black Hat Asia 2017,
March 30, 2017, 5 p.m.
(30 minutes).
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks. <br> <br> In order to allow complex web content delivery scenarios, which are typical with the modern web, HTTP/2 provides flexibility to clients and servers in how to transmit and process content. However, when replacing a legitimate client or server with malicious entities, this flexibility is translated into an extensive attack surface which creates new classes of vulnerabilities. <br> <br> In the presentation, we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in details several serious zero-day vulnerabilities, such as CVE-2016-1546 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.
Presenters:
-
Nadav Avital
- Security Research Team Leader, Imperva
Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years industry experience in coding and creating security tools. He holds a B.Sc. in Computer Science.
Links:
Similar Presentations: