About WordPress As of 2024, WordPress powers 43% of all websites in the internet. 474 million websites run WordPress software and one or more out of 70 000 plugins. Unfortunately, as history shows, many WordPress plugins, even popular ones, often contain security vulnerabilities. Sometimes these vulnerabilities are trivial to find. So far this year, 280 critical (CVSS score 9.0+) vulnerabilities have been found in WordPress plugins. Critical vulnerabilities usually allow taking over a WordPre...| nowotarski.info
What is the CONTINUATION Flood? It is a new class of vulnerabilities in multiple implementations of HTTP/2 protocol. The root cause is an incorrect handling of HEADERS and multiple CONTINUATION frames which ultimately leads to Denial of Service. The outcome depends on the implementation but ranges from instant crash after sending a couple of HTTP/2 frames, Out Of Memory crash, to CPU exhaustion affecting server availability. More technical details can be found in HTTP/2 CONTINUATION Flood: Te...| nowotarski.info
Infinite read in net/textproto.Reader In September 2023 I discovered an issue in Golang’s net/textproto.Reader. In one of its internal methods (readLineSlice), the code (in an infinite loop) reads data from bufio.Reader and concatenates to line: previously read data. It is using ReadLine which behaves differently from other bufio.Reader methods: this is the only method that does not return an error when internal buffer fills full. Instead, when the buffer becomes full it returns more=true v...| nowotarski.info
What are chunk extensions? A chunk extension can be added to a data chunk in HTTP/1.1 to extend it with some metadata connected to a given chunk. But what are chunks and chunk endcoding in general? Let’s look into RFC9112: The chunked coding allows each chunk to include zero or more chunk extensions, immediately following the chunk-size, for the sake of supplying per-chunk metadata (such as a signature or hash), mid-message control information, or randomization of message body size.| nowotarski.info
2024 HTTP/2 CONTINUATION Flood A class of vulnerabilities I discovered and worked on in Q1 of 2024. Affects multiple HTTP/2 implementations: amphp/http (CVE-2024-2653), Apache HTTP Server (httpd) (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919, CVE-2024-30255), Golang (CVE-2023-45288), nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), Tempesta FW (CVE-2024-2758) and more. 2023 Vulnerabilities connected to net/textproto.Re...| nowotarski.info
Preface In October 2023 I learned about HTTP/2 Rapid Reset attack, dubbed “the largest DDoS attack to date”. I didn’t have deep knowledge of HTTP/2 back then. I knew its basics like frames or HPACK but I was focusing more on HTTP/1.1 protocol and programming languages vulnerabilities. I decided to dedicate time to exploring HTTP/2 from a security analysis perspective after concluding my then-current research. A quick intro to HTTP/2 The main difference between HTTP/1.| nowotarski.info