Request smuggling attacks a key theme

Dependency confusion tops PortSwigger annual web hacking list for 2021

PortSwigger Web Security’s annual Top 10 Web Hacking Techniques list has been announced, with dependency confusion attacks crowned the number one technique seen in 2021.

The list was voted from 40 nominations down to the final 10 by an industry panel that included noted researchers Nicolas Grégoire, Soroush Dalili, and Filedescriptor.

In first place for the 2021 top 10 came the dependency confusion attack from researcher Alex Birsan, who used the technique to gain access to Apple, Microsoft, and other high-profile companies.

He revealed details of the novel supply chain attack after undergoing a disclosure process with the impacted vendors.

The attack

Dependency confusion occurs when an attacker is able to execute malware on a company’s network by overriding privately used software packages – so-called ‘dependencies’ – with malicious, public packages of the same name.

Birsan used this technique to upload malicious code to public RubyGems and Python packages, porting it into the dependencies.

READ MORE Researcher hacks Apple, Microsoft, and other major tech companies in novel supply chain attack

He was able to breach the internal systems of the above mentioned organizations, as well as Shopify, Netflix, Yelp, Tesla, and Uber – earning a $130,000 bug bounty payout in the process.

In addition, dependency confusion flaws were detected inside more than 35 organizations. Birsan added that the “vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations”.

Read more about 2021’s top rated attack technique here.

Second place

Coming in at number two was research from PortSwigger’s James Kettle, ‘HTTP/2: The Sequel is Always Worse’, which was independently submitted and voted for by the Top 10 panel.

Kettle, who previously demonstrated fresh insight into HTTP request smuggling attacks, found that despite upgrading to HTTP/2, many sites were still vulnerable to smuggling attacks due to the fact that they rewrote requests in order to talk to the backend server.

The researcher calls this ‘HTTP2 downgrading’ and was able to use the attack to scoop a $20,000 bug bounty from Netflix, among others.

BACKGROUND Black Hat USA: HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks

“Netflix was using the Netty Java library for their HTTP/2 support and that library forgot to verify that the Content-Length was correct,” Kettle previously told The Daily Swig.

By exploiting this flaw, an attacker could redirect users to their own website, achieve persistent JavaScript execution on Netflix’s core website, or hijack user accounts en masse.

Read more about the attack here.

Read more of the latest news about hacking techniques

In third place was A New Attack Surface on MS Exchange by Orange Tsai, his fifth time in the top 10 list.

Fourth was Client-Side Prototype Pollution in the wild, while fifth place went to Hidden OAuth Attack Vectors.

In sixth was Cache Poisoning at Scale, seventh JSON Interoperability Vulnerabilities, and in eighth position was Practical HTTP Header Smuggling.

Finally, ninth place went to HTTP Smuggling via Higher HTTP Versions and 10th Fuzzing for XSS via Nested Parsers.

You can find out more about each of the attacks here.

Speaking to The Daily Swig, James Kettle said that this year’s top 10 was “more tightly spaced than usual”.

The researcher added: “We had a suspicion dependency confusion would do well in the community vote, because it got independently nominated five times. We also saw less attempted ballot-stuffing in the community vote than usual.

“As mentioned in the post, the key theme was request smuggling. The volume of research on this topic made ranking a bit tricky as some new techniques were independently discovered multiple times.”

RECOMMENDED Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior