HTTP/2 je druhá hlavní verze protokolu HTTP, tedy základního protokolu používaného webem. Ideově vychází z experimentálního protokolu SPDY, skupině Internet Engineering Steering Group byla předložena jako standard k posouzení v prosinci 2014 a jako RFC standard číslo 7540 byla vydána v květnu 2015, kdy bylo rovněž vydáno RFC 7541, které specifikuje formát komprimace hlaviček pro HTTP/2.
|Slow Read (CVE-2016-1546)||This attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010. The Slow Read attack calls on a malicious client to read responses very slowly.|
The Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations.
|HPACK Bomb (CVE-2016-1544, CVE-2016-2525)||HPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'.HPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers.In this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems.Imperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references).|
After sending 14 such streams, the connection consumed 896MB of server memory after decompression, which crashed the server, Imperva researchers explain.
|Dependency Cycle Attack (CVE-2015-8659)||This attack leverages the flow control mechanisms that HTTP/2 uses for network optimization.|
A bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop.
The flaw could allow an attacker to cause Denial of Service (DoS) or even run arbitrary code on a vulnerable system.
|Stream Multiplexing Abuse (CVE-2016-0150)||The attack allows an attacker to exploit vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users. All the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs.|