Presented at
NolaCon 2018,
May 20, 2018, noon
(Unknown duration).
Although not commonly known, HTTP2 was first published in May 2015 as an update to HTTP 1.1. By the end of that year, the majority of major browsers added HTTP2 support; it is now being utilized all across the Internet. Sites such as Google, Twitter, Facebook, and perhaps even your company's site have HTTP2 enabled. If so, you probably do not realize you are using it. In fact, many Web Application Firewalls (WAFs) are not keeping pace with HTTP2 security needs and common AppSec testing tools such Burp, Zap, and other DAST products don't support HTTP2.
This talk will discuss the details of the presenter's discovery process in identifying how many site hosts are utilizing HTTP2, and a sample of common vulnerabilities which were found on these sites. Attendees will come away with having a better understanding of the security implications of HTTP2 and how you can detect these potential pitfalls on your network using freely available tools.
Presenters:
-
Brett Gravois
Brett is a Breaker of Web Applications, Leader of a DefCon Group, Maker of Tasty Food, and Owner of a Majestic Beard. He has over 17 years of experience in IT and Security, specializing in Web Application Pentesting, PCI practices, vulnerability scanning, and management.
Twitter: @Security_Panda
Links:
Similar Presentations: