Flaws in HTTP/2 could enable hackers to crash web servers, claims Imperva

Imperva research highlights four key vulnerabilities in HTTP/2

A series of security flaws have been uncovered in HTTP/2, a major revision of the HTTP network protocol that the web is based on, which was introduced last year.

The flaws can enable attackers to slow down web servers, overwhelm them with seemingly innocent messages that carry a payload of gigabytes of data, put web servers into infinite loops, and even crash them.

The HTTP/2 protocol can be divided into three layers: The transmission layer, including streams, frames and flow control; HPACK, binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities.

But new research by security software supplier Imperva has highlighted what it claims are four key vulnerabilities in HTTP/2. They include:

• Slow read. This attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris distributed denial of service attack experienced by major credit card processors in 2010. "Despite slow read attacks being well-studied in the HTTP/1.x ecosystem, they are still effective - this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2," claims Imperva;
• HPACK bomb. This compression-layer attack resembles a 'decompression bomb'. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable;
• Dependency cycle attack. This attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimisation. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies;
• Stream multiplexing abuse. The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.

The highlighted flaws come at a time when deployment of HTTP/2 is expanding fast, with approximately 85 million websites, or around nine per cent of all websites, having adopted it by August 2016, according to W3Techs - less than one year after it was introduced.

"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users," said Amichai Shulman, co-founder and chief technology officer of Imperva.

He continued: "However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it's hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats."

The flaws take advantage of features of HTTP/2 that were intended to reduce bandwidth usage and round-trips, while speeding up the loading time of web pages.

"The primary motivation for the transition into binary encoding and HPACK compression is to reduce bandwidth, while the other components are designed to reduce round-trips and accelerate the loading time of complex web pages.

"Thus, HTTP/2 is expected to significantly improve the loading time and the overall browsing experience of web users while sometimes putting a heavier computational burden on servers," according to Imperva's research paper.

HTTP can be traced back to 1965 and the development of the client-server model of computing. It's a simple request-response protocol commandeered by Sir Tim Berners-Lee when he was formulating the Worldwide Web in 1989. HTTP/2 is largely based on Google's experimental SPDY project and is supported by Chrome, Opera, Firefox, Internet Explorer 11, Edge, Safari and Amazon Silk.

Imperva will be presenting its research at Black Hat 2016 security conference this week.