The report, HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol (.PDF), details four main vulnerabilities and attack vectors related to HTTP/2, of which adoption is steadily increasing. According to W3Techs, 8.7 percent of all websites — roughly 85 million — have adopted the new standard, which is meant to improve how browsers and servers communicate, speeding up the online experience. The vulnerabilities discovered by Imperva researchers are as follows :
Slow Read — The attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. It is worth noting that despite Slow Read attacks being well-studied in the HTTP/1.x ecosystem, they are still effective – this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2. HPACK Bomb — This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable. Dependency Cycle Attack — The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies. Stream Multiplexing Abuse — The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.
Amichai Shulman, co-founder and CTO of Imperva warns that: “As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”