Feb 14, 2022 16:00:00

Top 10 Web Hacking Techniques for 2021

James Kettle , Research Director at security company PortSwigger , has put together the ' Top 10 Web Hacking Techniques for 2021 ' on PortSwigger's blog.

Top 10 web hacking techniques of 2021 | PortSwigger Research
https://portswigger.net/research/top-10-web-hacking-techniques-of-2021

The Top 10 Web Hacking Techniques in 2021 is the 2021 edition of PortSwigger's annual effort to identify the most important web security research published over the past year. The selection process started in January 2022, with 40 research papers recommended by the information security community voted for their favorite papers, narrowed down to 15 finalists, and finally a prominent security expert. Panel by has selected the top 10.

◆ 1: How to hack a large company using a software package
The most influential hacking technique of choice was security researcher Alex Birsan 's idea of 'hacking large companies with software packages.' Birsan devised 'replace internal packages used by companies with software with public packages containing malicious code,' the details of which are summarized in the following article.

How to hack big companies like Apple and PayPal using software 'packages'? --GIGAZINE

Regarding this technique, a panel of experts said, 'This attack is still under discussion and many security researchers, including myself, want to know where this research ends up. The attack is very. It's elegant, but is there room for improvement? Or is this just the humble beginning of a permanent new attack class? '

◆ 2: HTTP / 2 asynchronous attack / request tunneling / exploit primitive
PortSwigger's blog post , which shares asynchronous attacks for HTTP / 2, request tunneling using asynchronous attacks, and exploit primitives that exist in HTTP / 2, ranked second.

The panel of experts said, 'This study has everything the reader needs. The quality of the text, tools, and presentations, as well as the actual study and results, make this study very special.' 'This blog post is a great study of how HTTP / 2 is tremendously complicating the whole situation. Request smuggling is a never-ending down of HTTP because HTTP / 2 is still in place. We will borrow grades and upgrades to make them even more relevant. '

◆ 3: New attack surface of Microsoft Exchange
' New attack surface of Microsoft Exchange ' announced by Orange Tsai , a security researcher based in Taiwan who studies vulnerabilities in Microsoft Exchange, ranked third. In addition, Tsai's research has been ranked in Port Swigger's 'Top 10 Web Hacking Techniques' for the fifth consecutive year.

The panel of experts described Tsai's discovery as 'a perfect introduction to the architecture and targets of Microsoft Exchange, giving it a solid exploit and great impact.' 'It's an exciting entry for anyone who wants to get started seriously. 'It changes the way many people think about popular email solutions and reminds us that even the most secure-looking apps can easily break through security with perseverance and attention to detail.'

◆ 4: Abuse of client-side prototype contamination
A study

on the abuse of client-side prototype contamination published by security researcher s1r1us ranked fourth. Looking at the list of security researchers involved in the research, the dedicated panel is described as 'like the Avengers.'

◆ 5: Hidden OAuth attack vector
' Hidden OAuth Attack Vector ' is a hacking technique announced by PortSwigger security researcher Michael Stepankin , which delves into the OAuth and OpenID specifications and is designed to be the starting point for session poisoning and SSRF attacks . It reveals a defect.

◆ 6: Large-scale cash poisoning
Youstin's study , which proved that large-scale cash poisoning still remains overlooked, ranks sixth. The expert panel describes Youstin's paper as 'a demonstration of a technology that chains small inconsistencies with secret headers and misconfigurations.'

◆ 7: Vulnerability in JSON interoperability
Jake Miller's research on ' vulnerabilities in JSON interoperability ' is a detailed summary of vulnerabilities triggered by JSON parser inconsistencies.

◆ 8: Practical HTTP header smuggling
The research on ' practical HTTP header smagling ' pointed out by Daniel Thatcher ranked 8th. 'We are elegantly reconstructing a strategy that can identify both the vulnerabilities that exist in CL.CL and the common hidden header attacks,' the panel said of the study.

◆ 9: HTTP request smuggling over a higher HTTP version
Initially in 2021, the next version of HTTP / 1.1, HTTP / 2 , was considered an excellent communication protocol resistant to attacks such as timing attacks and DoS. However, security researcher Emil Lerner announced a cyberattack technique called ' HTTP request smuggling over a higher HTTP version.' This reveals a number of shortcomings that exist in HTTP / 2.

In a presentation on the following page, Russian security researchers talk about cyberattacks using the techniques presented by Lerner.

Несанкционированные HTTP-запросы через более поздние версии HTTP — The Standoff
https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/

◆ 10: XSS fuzzing using a nested parser
A method of launching a cross-site scripting (XSS) attack that exploits vulnerabilities in web applications using a technique called fuzzing that performs automated or semi-automated software testing using invalid data or unexpected data with a nested HTML parser. Is ranked in 10th place. This method was developed by Psych0tr1a , who studies the security of web applications. 'Impressive case studies and clear, practical methodologies have led to the establishment of this research as a top-class research paper,' Kettle points out.