HTTP2 attacks and WebApp Race Condition Presentations
Hackfest is a community of both experts and enthusiasts of computer security. The annual event of the same name, brings together over 650 people and is the main activity of the organization. Hackfest has a provincial radius of eastern Canada meaning more than half of the participants come from outside the region of Quebec. Hackfest includes other projects such as the monthly HackerSpace, Podcast, blog, projects and more.
During Hackfest 2016, Security Compass was proud to have Michael Bennet (Lead DDoS Strike Developer at Security Compass), and Aaron Hnatiw (Security Consultant at Security Compass) present.
Clogging the Future’s Series of Tubes:
A look at HTTP2 DDoS Attacks
The future is here! HTTP2 is the next generation of the HTTP protocol, designed from the ground up with performance in mind! It has a strong focus on loading full web pages and all of their dependencies faster through better network utilization and less concurrent connections. But like any new technology it brings with it a new set of challenges and issues that need to be considered and HTTP2 is no exception to that with some security issues already identified. In this talk, Michael Bennett presents some of his research into how HTTP2 makes it easier to launch powerful layer 7 attacks and how attackers can leverage HTTP2 to launch new types of DDoS attacks. He also explores the readiness of the DDoS mitigation industry to detect HTTP2 based DDoS attacks[embed]https://www.youtube.com/watch?v=10UFK9KIXIQ[/embed]
Racing the Web
Long thought to be relegated to the domain of fast, multi-threaded desktop applications, race conditions are a well known issue in software development, and they often result in program crashes and poor usability. Most instances of race conditions can be difficult to test, as they may only occur in one in one thousand uses, and under very specific conditions. Due to this fact, it can be rare that these bugs manifest themselves with any regularity. But what happens when a race condition exists in an application that accepts thousands of concurrent connections? Suddenly the likelihood of unintended behaviour increases exponentially, and the consequences can be devastating.
In a web application, user sessions are often treated the same as desktop user sessions- a user is expected to perform a single task at a time, while the server processes the information and performs the indented functionality for that user. But what would happen if a user tried to perform the same task hundreds or thousands of times simultaneously? If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”.
The focus of this talk is the security implications of this exact scenario, detailing specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.[embed]https://www.youtube.com/watch?v=4T99v957I0o[/embed]
Who we are
Security Compass is a leading application security firm specializing in solving root application security problems for Fortune 500 companies. Our goal is to help you build secure software by seamlessly unifying your application security needs through eLearning, Security Requirements and Verification. Send us a message, we’d love to see how we can help you.