HTTP/2: Faster and better than HTTP 1.1, but is it more secure?
It was November 2015 when I heard the high-pitched excitement of a researcher from our Imperva Defense Center – “HTTP/2 is susceptible to slow read attacks!” It was like déjà vu all over again; five years had gone by since the last high-profile slow read attack on HTTP 1.1 – Slowloris attack – had taken down major credit card processors. This time, however, the crisis was averted, the Imperva researchers worked with all of the major vendors to address the vulnerabilities before making them public. The research team found four high-profile vulnerabilities in total from the battery of tests conducted on new implementations of HTTP/2 from all of the major vendors.
The four high-profile attack vectors found by the Imperva researchers include:
- Slow Read – The attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. The Imperva research team identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
- HPACK Bomb – This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance.
- Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
- Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This flaw ultimately results in a denial of service to legitimate users.
Imperva researchers took an in-depth look at HTTP/2 server implementations from all of the major players -Apache, Microsoft, NGINX, Jetty, and nghttp2. There are new mechanisms in HTTP/2 – Flow Control, Compression, Stream Multiplexing, and Stream Dependency necessitating new code and new implementations. New code always has flaws, some of them are similar to flaws in the old code, and some of them due to implementers not adhering to the proposed design. The new mechanisms, however, are disproportionately increasing the attack surface for hackers and exposing vulnerabilities, because they always include new code.
The best protection against such vulnerabilities remains web application firewalls (WAF). WAFs with virtual patching capabilities are the security team’s best tool giving them adequate time to patch the server software while immediately protecting against known day-zero vulnerabilities.
Download the complete report here and find out more about these high-profile vulnerabilities and how to make your HTTP/2 adoption safer.