Attack research on HTTP/2 implementations

https://portswigger.net/research/http2

The introduction claims to have found imperfections in the RFC, so I read this fairly carefully.  There's solid work here in terms of attacking implementations, but no concrete specification problems.

In terms of actual changes to specifications, the work we did in the HTTP/2 revision on field validation should already cover all of these attacks.  Not that RFC 7540 didn't, but we're a lot, lot clearer about it now.

There's a lesson in here for our industry regarding how implementations deal with untrustworthy inputs.  The thing we might each reflect on is why we haven't already internalized that lesson.  It's not like this is a new class of attack or anything.

Received on Friday, 6 August 2021 00:46:11 UTC