Imperva released a new report at Black Hat USA 2016, which documents four high-profile vulnerabilities researchers at the Imperva Defense Center found in HTTP/2, the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web.
HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks.
Imperva researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The team discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x.
It is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.
The threats are especially concerning given the rapid adoption of HTTP/2. According to W3Techs, 8.7 percent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 percent in December 2015.
Full Article. Four high-profile vulnerabilities in HTTP/2 revealed - Help Net Security
HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks.
Imperva researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The team discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x.
It is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.
The threats are especially concerning given the rapid adoption of HTTP/2. According to W3Techs, 8.7 percent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 percent in December 2015.
Full Article. Four high-profile vulnerabilities in HTTP/2 revealed - Help Net Security
