The 10 Web Hacking Techniques That Dominated 2019: How They Work and How to Stop Them
Top 10 Web Hacking Techniques of 2019
Web hacking is the art and science of exploiting vulnerabilities in web applications and servers to gain unauthorized access, steal data, or cause damage. Web hacking techniques are constantly evolving and becoming more sophisticated, as attackers find new ways to bypass security measures and exploit new technologies. In this article, we will review some of the most innovative and impactful web hacking techniques that were discovered or popularized in 2019.
Top 10 web hacking techniques of 2019
1. Web Cache Deception
Web cache deception is a technique that leverages the behavior of web caches to expose sensitive information or execute malicious code on the victim's browser. The idea is to trick the web cache into storing a dynamic page (such as a user profile or a dashboard) as if it were a static resource (such as an image or a stylesheet). Then, the attacker can request the cached page and access the victim's data or inject malicious code into it.
This technique was first documented by Omer Gil in 2017, but it gained more attention in 2019 when a team of researchers from Northeastern University published a paper titled "Cache and Confused: Web Cache Deception in the Wild" . They developed a methodology and an infrastructure to perform large-scale experiments on hundreds of popular websites and found 37 exploitable instances of web cache deception. They also showed how the technique could be altered in multiple ways to perform a successful attack.
XS-Leaks (short for cross-site leaks) are a family of techniques that exploit side-channels in web browsers to leak information about the user's activity across different origins. For example, an attacker can use XS-Leaks to infer whether the user is logged in to a certain website, what pages they have visited, what content they have searched for, or what CSRF tokens they have generated.
XS-Leaks are not a new concept, as they have been documented since at least 2009 . However, they have become more prevalent and diverse in recent years, as new browser features and APIs have introduced new side-channels or amplified existing ones. In 2019, several researchers contributed to advancing the state of the art in XS-Leaks, such as Eduardo Vela with his introductory tutorial , Luan Herrera with his comprehensive list of known XS-Leak vectors , and James Kettle with his discovery of request timing attacks .
3. Server-Side Request Forgery on PDF Generators
Server-side request forgery (SSRF) is a technique that allows an attacker to make requests from a vulnerable server to other servers or services that are normally inaccessible from the outside. This can lead to information disclosure, remote code execution, or denial of service. SSRF vulnerabilities are often found in web applications that accept user-supplied URLs as input and perform some operation on them, such as fetching their content, generating thumbnails, or converting them to PDFs.
4. HTTP Desync Attacks
HTTP desync attacks are a revival of the old technique of HTTP request smuggling, which allows an attacker to interfere with the way HTTP requests are processed by web servers and proxies. The attacker can send specially crafted requests that cause the server and the proxy to disagree on where one request ends and another begins, resulting in request splitting or request smuggling. This can lead to various attacks, such as bypassing security controls, stealing credentials, poisoning web caches, or hijacking HTTP responses.
This technique was brought back to life in 2019 by James Kettle, who published a detailed blog post and a tool called HTTP Request Smuggler . He also demonstrated how he used HTTP desync attacks to earn over $90k in bug bounties, compromise PayPal's login page twice, and kick off a wave of findings for the wider community. He also showed how HTTP desync attacks can be combined with other techniques, such as web cache deception, XSS, or DNS rebinding, to achieve more impact.
5. Microsoft Edge (Chromium) - EoP to Potential RCE
Microsoft Edge (Chromium) is the new version of Microsoft's web browser that is based on the Chromium open source project. It offers better performance, compatibility, and security than the legacy Edge browser, but it also inherits some of its vulnerabilities. In 2019, Abdulrhman Alqabandi discovered and exploited a chain of vulnerabilities in Microsoft Edge (Chromium) that could lead to elevation of privilege (EoP) and potential remote code execution (RCE) on the victim's machine.
The exploit chain involved several steps: first, the attacker lures the victim to visit a malicious website that uses a web vulnerability to access a privileged origin (such as edge://settings). Then, the attacker uses a binary vulnerability to escape the sandbox and execute arbitrary code on the victim's machine. The attacker can also leverage other features of the browser, such as extensions or notifications, to increase the chances of success or persistence. Alqabandi reported his findings to Microsoft and received $40,000 in bounties .
6. Exploiting Null Byte Buffer Overflow for a $40,000 bounty
A null byte buffer overflow is a type of memory corruption vulnerability that occurs when a program tries to copy a string of data that contains a null byte (a character with a value of zero) into a fixed-size buffer. The program may stop copying the data when it encounters the null byte, leaving the rest of the buffer uninitialized or filled with garbage values. This can lead to unexpected behavior, crashes, or code execution.
In 2019, Sam Curry and friends discovered and exploited a null byte buffer overflow vulnerability in Uber's partner web portal . They found that the portal used a vulnerable version of ImageMagick, a popular image processing library, to generate thumbnails for uploaded documents. By uploading a specially crafted image file that contained a null byte in its metadata, they were able to trigger the buffer overflow and overwrite the memory of the ImageMagick process. They then used a technique called return-oriented programming (ROP) to execute arbitrary code on the server and gain remote access. They reported their findings to Uber and received $40,000 in bounties .
7. Blind Regular Expression Injection
Blind regular expression injection is a technique that exploits the use of regular expressions (regex) in web applications to perform sensitive operations, such as validating user input, filtering output, or matching patterns. Regular expressions are powerful but complex tools that can be used to manipulate strings of data in various ways. However, they can also be vulnerable to attacks if they are not properly designed or implemented.
In 2019, Takashi Yoneuchi proposed and demonstrated blind regular expression injection as a novel type of attack that can be used to extract information from web applications that use regex without any visible feedback . He showed how an attacker can craft malicious input that causes the regex engine to enter a state of catastrophic backtracking, which consumes a lot of CPU time and causes noticeable delays in the application's response. By measuring these delays, the attacker can infer whether the regex matched or not, and gradually recover the secret information bit by bit.
8. Secrets Leaking in Continuous Integration Repositories/Logs
Secrets are sensitive pieces of information that are used to authenticate or authorize users, applications, or services. Examples of secrets include passwords, API keys, tokens, certificates, or encryption keys. Secrets should be protected and stored securely, as they can grant access to valuable resources or data. However, sometimes secrets can be leaked unintentionally or maliciously through various channels, such as code repositories, configuration files, logs, or environment variables.
In 2019, a team of researchers from North Carolina State University published a paper titled "How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories" . They analyzed over 4 million GitHub repositories and found that 100,000 of them contained leaked secrets, such as API tokens, cryptographic keys, or passwords. They also found that 64% of the leaked secrets were still valid at the time of discovery, and that some of them could be used to access sensitive data or services, such as AWS accounts, Google Maps APIs, or email servers.
9. Blind XSS via Google Translate
Cross-site scripting (XSS) is a technique that allows an attacker to inject malicious code into a web page that is viewed by another user. XSS can be used to perform various attacks, such as stealing cookies, hijacking sessions, defacing websites, or executing commands on the victim's browser. XSS can be classified into three types: reflected XSS, where the malicious code is embedded in a user-supplied parameter that is echoed back by the server; stored XSS, where the malicious code is stored on the server and displayed to other users; and blind XSS, where the malicious code is triggered by an unsuspecting third-party, such as an administrator or a support agent.
Web hacking is a dynamic and evolving field that requires constant learning and adaptation. The techniques we have reviewed in this article are some of the most innovative and impactful ones that were discovered or popularized in 2019. They demonstrate the creativity and skill of the web security community, as well as the challenges and risks that web developers and users face every day. We hope that this article has inspired you to learn more about web hacking and to stay updated on the latest developments and trends in this fascinating domain. b99f773239