Imperva finds the Basic Structure of the Web Itself Could Be at Risk

By Steve Anderson
Contributing Writer

Ever have one of those days when you feel like you're living over a sinkhole? It's small right now, but who knows how long before it expands and everything you know sinks into a pit that could be several feet deep. That's what a lot of people are probably feeling like following a new study from Imperva revealed that the basic materials that make up the entire World Wide Web, the HTTP/2 protocol, are flawed in four significant ways.

The Imperva report, part of the Hacker Intelligence Initiative, was highlighted at the recent Black Hat USA 2016 event, detailed the issues.

One of the biggest issues is that HTTP/2 brings in a set of new tools that effectively make targets more vulnerable by increasing the potential attack surface and opening up more potential points of failure. Using implementations from Apache, Jetty, Microsoft (News - Alert) and others, Imperva researchers found that not only were there new vulnerabilities in HTTP/2, but there were also vulnerabilities from HTTP /1.x that are approximately similar to those found in HTTP/2.

Those vulnerabilities include the:

• Slow Read concept
• HPACK Bomb
• Dependency Cycle Attack and the concept of Stream Multiplexing Abuse.

Slow Read is identical to the Slowloris distributed denial of service (DDoS ) attack that plagued credit card processing firms as far back as 2010. Variants of Slow Read have been found in several popular Web server operations from Apache to NGINX.

The HPACK Bomb is similar to a zip bomb, and uses small messages to decompress and turn into massive, multiple-gigabyte range messages that quickly swamp a system, rendering it unusable from the outside. Dependency Cycle Attacks, meanwhile, exploit flow control mechanisms newly introduced into the system to force servers into permanent loops as new, erroneous requests produce a cycle of dependency that can't be broken. Finally, Stream Multiplexing Abuse calls for attacks using the stream multiplexing options found in HTTP/2 to crash a server and make it unavailable for other users.

Given that HTTP/2 use is on the rise, in a big way—in December 2015, 2.3 percent of sites used HTTP/2, but now, that number's up around 8.7 percent—finding these vulnerabilities is the start of necessary patch work that can hopefully close them off before they can be used against servers everywhere. Knowing there's a problem is the first step to fixing it, and while this isn't welcome news—we'd all rather hear there's no particular problem—knowing the problem exists is a problem worth knowing. Given how vital HTTP/2 is securing it from exploitation ASAP is truly mission critical for all of us.