Security experts have discovered four major vulnerabilities in the new HTTP/2 protocol, potentially exposing as many as 90 million websites to denial of service and other attacks.
Imperva released the findings at Black Hat this week, claiming to have tested them on HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2.
The flaws, which have now been fixed, include some which have been carried over from the first iteration of HTTP.
Slow Read is one – identical to the Slowloris DDoS attacks on credit card processors in 2010.
The bug can be exploited to force a client to read responses very slowly, effectively taking it out of action.
The second bug, HPACK Bomb, crafts small and apparently innocent messages that actually turn into gigabytes of data on the server, consuming all of its memory resources and once again putting it out of action.
The next is a Dependency Cycle Attack, which takes advantage of flow control mechanisms meant to optimize the network – forcing the server into an infinite loop as it tries to deal with dependencies created by malicious client requests.
The final issue is dubbed Stream Multiplexing Abuse and requires an attacker to use flaws in the way servers implement the stream multiplexing functionality to crash the server.
Imperva recommended firms adopting HTTP/2 to remain vigilant, and consider implementing a web application firewall to protect themselves from such bugs.
“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Imperva co-founder, Amichai Shulman.
“However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”
According to some studies, HTTP/2 is now used by over 9% of sites, which could equate to more than 90 million.