HTTP2 and You

Presented at LayerOne 2018, May 26, 2018, 4 p.m. (60 minutes)

Although not commonly known, HTTP2 was first published in May 2015 as an update to HTTP 1.1. By the end of that year, the majority of major browsers added HTTP2 support and it is now being utilized all across the Internet. Sites such as Google, Twitter, Facebook, and perhaps even your company's site have HTTP2 enabled. If so, you probably do not realize you are using it. In fact, many Web Application Firewalls (WAFs) are not keeping pace with HTTP2 security needs and common AppSec testing tools such Burp, Zap, and other DAST products don't support HTTP2. This talk will discuss the details of the presenter's discovery process in identifying how many site hosts are utilizing HTTP2, and a sample of common vulnerabilities which were found on these sites. Attendees will come away with having a better understanding of the security implications of HTTP2 and how you can detect these potential pitfalls on your network using freely available tools.

Presenters:

• Security Panda
  Brett is a Breaker of Web Applications, Leader of a DefCon Group, Maker of Tasty Food, and Owner of a Majestic Beard. He has over 17 years of experience in IT and Security, specializing in Web Application Pentesting, PCI practices, vulnerability scanning, and management.

Links:

• https://www.layerone.org/speakers/#securitypanda
• https://infocon.org/cons/LayerOne/LayerOne 2018/HTTP2 and You (Security Panda).mp4
• https://infocon.org/cons/LayerOne/LayerOne 2018/HTTP2 and You (Security Panda).eng.srt (subtitles)
• https://www.youtube.com/watch?v=PRSwYfjMSF8

Similar Presentations:

• LayerOne 2019 / Let’s Talk About WAF (Bypass) Baby
• NolaCon 2018 / HTTP2 and You
• Hackfest 2016 / Clogging the Futures Series of Tubes: A look at HTTP/2 DDoS Attacks