Název |
Obrázek |
Popis |
HTTP/2 | 
|
HTTP/2 je druhá hlavní verze protokolu HTTP, tedy základního protokolu
používaného webem. Ideově vychází z experimentálního protokolu SPDY,
skupině Internet Engineering Steering Group byla předložena jako
standard k posouzení v prosinci 2014 a jako RFC standard číslo 7540 byla
vydána v květnu 2015, kdy bylo rovněž vydáno RFC 7541, které specifikuje
formát komprimace hlaviček pro HTTP/2. |
|
Protokoly HTTP/2 |
|
Slow Read (CVE-2016-1546) |  |
This attack is identical to the well-known Slowloris DDoS (distributed
denial-of-service) attack that major credit card processors experienced
in 2010. The Slow Read attack calls on a malicious client to read
responses very slowly.
The Slow Read attacks were well-studied in the
HTTP/1.x ecosystem and they are still alive in the application layer of
HTTP/2 implementations. |
|
HPACK Bomb (CVE-2016-1544, CVE-2016-2525) |  |
HPACK Bomb is a compression layer attack that resembles a zip bomb
attack or a 'decompression bomb'.HPACK is used to reduce the size of
packet headers. Basically, the sender can tell the receiver the maximum
size of the header compression table used to decode the headers.In this
attack, a potential hacker creates small and innocent-looking messages
that actually unpack into gigabytes of data on the server, thereby
consuming all the server memory resources and effectively slowing down
or crashing targeted systems.Imperva created a header that was 4KB size
-- the same size as the entire compression table. Then on the same
connection, it opened up new streams with each stream that referred to
the initial header as many times as possible (up to 16K of header
references).
After sending 14 such streams, the connection consumed
896MB of server memory after decompression, which crashed the server,
Imperva researchers explain. |
|
Dependency Cycle Attack (CVE-2015-8659) |  |
This attack leverages the flow control mechanisms that HTTP/2 uses for
network optimization.
A bad intent client can use specially crafted
requests to prompt a dependency cycle, thus forcing the server into an
infinite loop.
The flaw could allow an attacker to cause Denial of
Service (DoS) or even run arbitrary code on a vulnerable system. |
|
Stream Multiplexing Abuse (CVE-2016-0150) |  |
The attack allows an attacker to exploit vulnerabilities in the way
servers implement the stream multiplexing functionality in order to
crash the server. This attack eventually results in a denial of service
(DoS) to legitimate users. All the four vulnerabilities have already
been fixed in HTTP/2, which is currently being used by some 85 Million
websites, or around 9 percent of all websites, on the Internet,
according to W3Techs. |
