HTTP2 and You

Presented at NolaCon 2018, May 20, 2018, noon (Unknown duration)

Although not commonly known, HTTP2 was first published in May 2015 as an update to HTTP 1.1. By the end of that year, the majority of major browsers added HTTP2 support; it is now being utilized all across the Internet. Sites such as Google, Twitter, Facebook, and perhaps even your company's site have HTTP2 enabled. If so, you probably do not realize you are using it. In fact, many Web Application Firewalls (WAFs) are not keeping pace with HTTP2 security needs and common AppSec testing tools such Burp, Zap, and other DAST products don't support HTTP2. This talk will discuss the details of the presenter's discovery process in identifying how many site hosts are utilizing HTTP2, and a sample of common vulnerabilities which were found on these sites. Attendees will come away with having a better understanding of the security implications of HTTP2 and how you can detect these potential pitfalls on your network using freely available tools.

Presenters:

• Brett Gravois
  Brett is a Breaker of Web Applications, Leader of a DefCon Group, Maker of Tasty Food, and Owner of a Majestic Beard. He has over 17 years of experience in IT and Security, specializing in Web Application Pentesting, PCI practices, vulnerability scanning, and management. Twitter: @Security_Panda

Links:

• https://nolacon.com/talk/http2-and-you
• https://infocon.org/cons/NolaCon/NolaCon 2018/HTTP2 and You Brett Gravois.mp4
• https://infocon.org/cons/NolaCon/NolaCon 2018/HTTP2 and You Brett Gravois.eng.srt (subtitles)

Similar Presentations:

• LayerOne 2019 / Let’s Talk About WAF (Bypass) Baby
• Hackfest 2016 / Clogging the Futures Series of Tubes: A look at HTTP/2 DDoS Attacks
• LayerOne 2018 / HTTP2 and You