This is no basic listicle

PortSwigger announces the best web hacking techniques of 2019

PortSwigger Web Security has released its annual rundown of the best web hacking techniques of 2019.

The 10 methods, chosen by a junction of community and expert panelists, are defined, predominately, by breathing new life into once dated techniques.

Collective research that succeeds in fixing some of the web’s more precarious holes is also the reasoning behind the chosen picks and cream of the crop from 2019.

Take the third place entry from researchers Ben Sadeghipour and Cody Brocious – work that develops on existing knowledge in the field of Server Side Request Forgery (SSRF) to show how this technique can be adapted and applied to server-side PDF generators using DNS rebinding.

Check out Sadeghipour’s presentation from DEF CON 27 for the full lowdown.

As XSS vulnerabilities have entered mainstream awareness, cross-site leaks (XS-Leaks) have started to garner the attention of the researcher community.

It’s therefore no surprise to see the second podium for this year’s Top 10 given to the collective effort in developing this type of attack, which was first documented over a decade ago but has since evolved to include an ever-growing list of variants.

Whether it’s pushing forward research through Eduardo Vela’s introductory tutorial to the subject, or the team effort behind publicly listing known XS vectors, the use of the technique has not gone unnoticed – nor is likely to disappear any time soon.

Just last week, Japanese researcher Takashi Yoneuchi unveiled what he’s calling ‘blind regular expression injection’ – a theoretical exploit that would fall under the XS-Leak family, and yet another indication that researchers have only just scratched the (attack) surface.

But the number one spot in 2019 went to the researchers that quantified the real-world impact of web cache deception (WCD) vulnerabilities for the first time.

“We were certainly surprised to take the top spot,” the team, which included Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson, told The Daily Swig.

“We developed a methodology and built an infrastructure to perform large-scale experiments on hundreds of popular websites and found 37 exploitable instances.”

Building on the original WCD technique initially documented by security researcher Omer Gil, the ‘Cache and Confused’ (PDF) team additionally showed how the method could be altered in multiple ways to perform a successful attack.

“We hope that this number one spot can help our work garner more attention from the wider security community and pave the way for speedy development of defense,” they said.

“In the meantime, we strive to educate the internet community on the fact that web cache attacks are often system problems, and they need joint effort from server operators and web cache vendors to mitigate.”

Community favorite

Despite bounties earned being no concrete measure of web hacking success, HTTP desync attacks, a technique that revives the once feared HTTP request smuggling method, brought security researcher James Kettle $90,000, partly for its achievement in compromising PayPal’s login page… twice.

Presented initially at last year’s Black Hat USA, Kettle was awarded the Community Favorite in the Top 10 – a clear winner for shedding light on the inconsistencies of the HTTP request protocol with finite simplicity.

While hesitant to make predictions on what the list means for future developments in both web security and offensive hacking, James Kettle, head of security at PortSwigger and one of the lead panelists involved in curating the Top 10, finds certainty in the rising difficulty of breaking things in today’s online landscape.

“The interesting thing this year, is that we’re seeing the top entries are increasingly collaborative, in that, the top three are the work of multiple different researchers, which build on the prior work from prior researchers,” Kettle told The Daily Swig.

“We really saw companies reacting more to the web vulnerabilities that were discovered in 2019.

“We saw Amazon release a new locked down version for their EC2 metadata end point, which is clearly related to the SSRF threat, and browser XSS filters getting removed [Edge and Chrome] is a partial result of XS-Leaks.”

Web hacking hit list

PortSwigger’s Top 10 Web Hacking Techniques of 2019 received 51 nominations, all of which were put forward by the infosec community.

The Top 10 was selected by a panel consisting of Nicolas Grégoire, Soroush Dalili, Filedescriptor, and James Kettle.

The full list includes:

  1. Cache and Confused: Web Cache Deception in the Wild via Cache and Confused team
  2. Cross-Site Leaks via Eduardo Vela et al
  3. Owning the Clout through Sever Side Request Forgery via Ben Sadeghipour and Cody Brocious
  4. Abusing Meta Programming for Unauthenticated RCE via Orange Tsai
  5. Google Search XSS via Masato Kinugawa and LiveOverflow
  6. All is XSS that comes to the .NET via Paweł Hałdrzyński
  7. Exploring CI Services as a Bug Bounty Hunter via EdOverflow et al
  8. Infiltrating Corporate Intranet like NSA: Pre-Auth RCE on Leading SSL VPNs via Orange Tsai and Meh Chang
  9. Microsoft Edge (Chromium) – EoP to Potential RCE via Abdulrhman Alqabandi
  10. Exploiting Null Byte Buffer Overflow for a $40,000 bounty via Sam Curry

Check out last year’s winners on the PortSwigger Research website.

YOU MIGHT ALSO LIKE Path confusion: Web cache deception threatens user information online