AppSec Israel 2016 has ended
Back To Schedule
Monday, September 19 • 12:35 - 13:20
Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation

Log in to save this to your schedule, view media, leave feedback and see who's attending!

HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.
In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in details several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.
Those attending this session will understand that:
1. As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
2. HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
3. An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching


Nadav Avital

Application Security Research Team Leader, Imperva
Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years’ industry experience... Read More →

Noam Mazor

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv U... Read More →

Monday September 19, 2016 12:35 - 13:20 IDT
Main Auditorium
  Track 1