Collaborate Disseminate
I was reading some stuff about HTTP2/HTTP3 and I was trying to understand, where can i see these two types of HTTP in action?
For example, will HTTP2 be more common to see on a simple website like a blog or webpage and HTTP3 will be more c… Continue reading Where can I see HTTP/2 and HTTP/3 in action? [closed]
I’m researching information about HTTP/2 from a cybersecurity point of view for an article, and i wanted to include a section about attacks exclusive to HTTP/2 or were this protocol have a key role.
I already got information about request … Continue reading Are there HTTP/2 specific attacks different from request smuggling?
I have pcap file that consists of HTTP/2 requests. Communication between two machines used basically done through Encryption using JSON Web Encryption (JWE) and encapsulate and encapsulates the resulting JWE object into a HTTP/2 message (a… Continue reading Decrypting Data field of HTTP2 packet in Wireshark
Since NGINX does not support sending HTTP/2 requests upstream, what are the present NGINX reverseproxy users doing to mitigate HTTP Request Smuggling vulnerability?
I understand that the best way to prevent HTTP Request Smuggling is by sen… Continue reading What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?
I’ve been researching timeless timing attacks, ie: timing attacks using concurrency rather than round trip time. Here is an article by portswigger with links to the original article by Van Goethem. Basically it says that if you pack two re… Continue reading Timeless timing attacks and response jitter
The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to include ‘pcapReadMethod=pcap-over-ip-server’ in Arkim… Continue reading Capturing Decrypted TLS Traffic with Arkime
A new Nessus plugin (140735 – HTTP Smuggling Detection) was very recently incorporated into Tenable’s PCI template and is now beeing flagged as a "medium" vulnerability and causing scans to fail.
The only info in the scan report … Continue reading Nessus Plugin "HTTP Smuggling Detection" failing due to support for http/1.1 – how to overcome?
Which vulnerabilites does HTTP/2 prevent?
More specifically:
Does it prevent HTTP request smuggling?
Does it prevent HTTP response splitting / CRLF injection?
Continue reading Does HTTP/2 prevent security vulnerabilites like CRLF injection?
As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured.
However, HTTP/2, whilst not making e… Continue reading Is there any point in having the HSTS header enabled when using HTTP/2?
Netflix has identified several denial of service (DoS) flaws in HTTP/2, a popular network protocol that underpins large parts of the web. Exploiting them could bring servers grinding to a halt. Continue reading Multiple HTTP/2 DoS flaws found by Netflix