OAuth ‘masterclass’ crowned top web hacking technique of 2022

Adam Bannister 10 February 2023 at 14:56 UTC
Updated: 10 February 2023 at 16:10 UTC

In 2022, the focus on single sign-on vulnerabilities and request smuggling marked another remarkable year for web security research.

Illustrative graphic

Frans Rosén, the founder of Detectify, was recognized as the leading innovator in PortSwigger’s top 10 web hacking techniques of 2022 with his method called ‘Account hijacking using dirty dancing in sign-in OAuth flows’.

Published in July, this research was praised by PortSwigger’s research director James Kettle, who described it as a “masterclass in chaining OAuth quirks with low-impact URL-leak gadgets such as promiscuous postMessages, third-party XSS, and URL storage” in a blog post that revealed the rankings on February 8.

Kettle emphasized that previously overlooked vulnerabilities due to perceived low impact have proliferated over the years.

DON’T MISS Top 10 web hacking techniques of 2022

Rosén expressed gratitude for being recognized among many distinguished researchers, noting that he began his investigation with only a concept rather than a specific bug.

Following this, Kettle claimed the silver medal for his work on novel HTTP request smuggling techniques and secured sixth place for a separate research project on HTTP header injection presented at Black Hat USA.

A new frontier in HTTP request smuggling

Kettle’s second-place achievement was a continuation of his success from 2021, where he had ranked similarly for his research on HTTP/2 vulnerabilities.

His latest work showcased innovative HTTP request smuggling methods, effectively compromising various targets, including Amazon and Apache, and extending attacks into client-side contexts.

Kettle’s work was recognized as technically challenging, with one judge commending the creativity behind linking desync worm strategies to client-side vulnerabilities.

He anticipates that request smuggling will continue to yield new threats until the obsolescence of HTTP/1.

Memcache injection and Zimbra

Google’s Simon Scannell earned third place by identifying a memcached injection flaw in the Zimbra webmail platform, which allowed attackers to manipulate the victim’s cache and access plaintext credentials.

Kettle remarked that this research illustrated the necessity of in-depth target knowledge for effective exploitation.

Scannell, previously associated with Sonar, explained in his findings how to exploit memcached responses to alter lookup outcomes.

‘Pushing at the boundaries’

The 16th edition of PortSwigger’s annual review observed a record-breaking 46 nominations narrowed to just 15 finalists based on public voting.

Kettle noted that while novel techniques have become scarcer, researchers are increasingly expanding boundaries and sharing their insights.

Here’s a summary of the remaining top 10 methods:

4. ‘Hacking the Cloud with SAML’ by Felix Wilhelm: Leveraging an integer error to enable arbitrary code execution through an XML document.
5. ‘Bypassing .NET Serialization Binders’ by Markus Wulftange: Resulting in critical vulnerabilities for Microsoft products.
6. ‘Making HTTP header injection critical via response queue poisoning’ by James Kettle: A significant examination of a neglected response-splitting method.
7. ‘Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes’ by Jacopo Tediosi: Exploiting header configurations for various vulnerabilities.
8. ‘Psychic Signatures in Java’ by Neil Madden: Exposing the flaws in ECDSA signature verification systems.
9. ‘Practical client-Side Path Traversal Attacks’ by Medi: Bringing attention to a crucial but overlooked web vulnerability.
10. ‘Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library’ by Sam Curry: Targeting cryptocurrency platforms using multiple attack vectors.