‘Defenders still have time to catch up and do their homework’

UPDATED Exploiting caching vulnerabilities was a major trend for security researchers in 2018, according to a list of the top web hacking techniques in play last year.

PortSwigger Web Security’s annual honors list – which is voted for by the public and industry judges – was released on Thursday.

This year’s panel included researchers Nicolas Grégoire, File Descriptor, James Kettle, and Soroush Dalili, who whittled down a longlist of 59 nominations to what would eventually become the Top 10 Web Hacking Techniques of 2018.

After looking through the winning exploits, security engineer and OWASP Kuwait chapter leader Mohammed Aldoub said caching attacks were a running theme.

“One trend I noticed is attacks against caching layers, especially Edge Side include injection and cache poisoning,” Aldoub told The Daily Swig.

“Caching is a complex subject and is implemented in many layers independently: http servers; app servers; third-party caching and CDNs, caching servers (like redis), ORM caches, full html response caching (like varnish), cloud-based caching (like elasticache), ISP level caching, and this means that the caching problem is not one that can be solved by headers or simple DevOps tactics. It requires intentional care and attention.

“However, since caching attacks are still not trivial to automate, defenders still have time to catch up and do their homework.

“Once attackers attain the ability to scale caching attacks, Google-dork them, and produce obvious results (taking over accounts, for example), it’s going to be really popular, really quickly.”

He added: “What I noticed lacking from the list is cloud native attack techniques, like for example Serverless Event Data injection attacks, which will grow more popular as serverless adoption, features, and flexibility increases.”

Bronze, Silver, Orange

The second and third place spots this year were handed to James Kettle, for his investigation into web cache poisoning, and Louis Dion-Marcil for his research on abusing caching servers to leverage SSRF and XSS.

Dion-Marcil tweeted: “Sooo happy to have made it on this list!! Thank you @el_d33 and all the cool people that gave a hand on this research!”

Kettle added: “Well-earned congratulations to @orange_8361, @ldionmarcil, Olivier Arteau, @fransrosen, @_s_n_t, @_mohemiv, Robin Peraglie, @9r4shar4j4y/@iambalaji7 and Luan Herrera! Your research is an inspiration to us all”

Fresh after his win in 2017, Orange Tsai took the top spot yet again with ‘Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!’, successfully demonstrating how flaws in path validation can be abused to generate wide-ranging results.

The Taiwan native, who unveiled his research at Black Hat USA in 2018, tweeted his thanks with an emoji.

“This is the second year running research by Orange has topped the board, so we’ll be paying close attention during 2019!” Kettle wrote.

‘Timeless technique’

Aldoub says he believes Orange Tsai’s widely-lauded research will be hard to beat next year.

He told The Daily Swig: “The number one technique – breaking parser logic – is a timeless technique and will probably be there to stay as a top contender.

“The more we automate, and we’re bound to, the more we depend on parsing and automated comprehension of input. And we’re going to keep falling in the same mistakes. If it’s not the parser being buggy, it could be the developer not knowing the parser features and behaviors.”

Soroush Dalili, who helped to judge the final list, told The Daily Swig: “I think it’s better that the top 10 techniques are only about new research, and not just vulnerabilities that have been patched, unless they use a new methodology.

“I think we have almost achieved this goal in this year’s top 10 and quality of the selected items is high overall. We owe this to the community and also to the researchers. Thank you all for sharing and caring!”

Aldoub concluded: “I think all these entries are amazing and are the fruits of so much great research and attention to detail by researchers.

“I think the top three techniques earned their winning positions. It’s an ultimatum to folks still doing regular AppSec. We need to evolve.”


This article has been updated to include comments from the judging panel