OAuth ‘masterclass’ crowned top web hacking technique of 2022

In another remarkable year for web security research, single sign-on and request smuggling have taken center stage.

Frans Rosén, the founder of Detectify, has been recognized as the creator of the leading technique on PortSwigger’s top 10 web hacking techniques list for 2022. His research focused on ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

This groundbreaking study was published in July and was described as a “masterclass in chaining OAuth quirks with low-impact URL-leak tools including promiscuous postMessages, third-party XSS, and URL storage” by James Kettle, the director of research at PortSwigger, in a blog post detailing the results announced on February 8.

Kettle noted that many bugs, previously disregarded as lacking significant security implications, have proliferated over the years.

DON’T MISS Top 10 web hacking techniques of 2022

Kettle commended Rosén for producing an “outstanding piece of research that is expected to yield results in the coming years.”

Rosén expressed his gratitude, stating, “I feel honored to be recognized among so many incredible researchers and their contributions throughout the year.”

He added, “This year, I approached my research without having a specific initial bug; it started as a concept I wanted to explore.”

READ MORE ‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Rosén thanked PortSwigger for publicly recognizing the individuals in the industry who disclose their findings and methodologies, noting that it is an important contribution to advancing the field.

Kettle secured the silver medal for the second consecutive year, additionally earning sixth place for a different HTTP header injection study, which was presented at Black Hat USA. (Note: panelists were prohibited from voting for their own submissions).

Kettle previously achieved second place in the 2021 rankings with his research, ‘HTTP/2: The Sequel is Always Worse’. This year, he showcased novel HTTP request smuggling strategies targeting services like Amazon and Apache, demonstrating the ability to extend attacks to victims’ browsers.

RELATED Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Judges remarked on the complexity of Kettle’s work, with one praising the creativity involved in transforming desync worm concepts into client-side desync attacks.

Kettle anticipates that request smuggling will continue to pose novel threats until the complete phase-out of HTTP/1.

A critical vulnerability in Zimbra

In third place, Simon Scannell from Google identified a memcached injection vulnerability in Zimbra, a webmail platform for businesses, that allowed attackers to manipulate a victim’s cache and steal cleartext credentials.

READ MORE Business email platform Zimbra patches memcached injection flaw that threatens user credentials

Kettle acknowledged that this study, which also involved request smuggling, highlighted the importance of in-depth knowledge about targeted systems.

Scannell, who was previously with Swiss company Sonar, explained in his findings: “By continually injecting more responses than there are work items into Memcached’s shared response streams, we can compel random lookups to use fabricated responses in place of the correct ones.”

Innovation at the edges

The 16th annual iteration of PortSwigger’s top 10 web hacking techniques began with a record 46 nominations, trimmed down to 15 contenders through votes from the information security community.

Kettle remarked that while “outreach novel techniques and class-breaking discoveries have become less frequent,” there is an increasing trend of researchers “pushing boundaries and sharing their discoveries.”

For a quick overview, here are the remaining entries in the top 10 (for detailed analysis, refer to James Kettle’s post):

• 4. ‘Hacking the Cloud with SAML’ by Felix Wilhelm culminates in an XML document leveraging an integer truncation flaw to execute arbitrary bytecode during Java signature verification.
• 5. ‘Bypassing .NET Serialization Binders’ by Markus Wulftange exposed vulnerabilities in both the DevExpress framework and Microsoft Exchange, leading to potential remote code execution.
• 6. ‘Making HTTP header injection critical via response queue poisoning’ by James Kettle revisited the once-forgotten response-splitting method, presenting a high-impact case study.
• 7. ‘Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes’ by Jacopo Tediosi utilized HTTP hop-by-hop headers to achieve multiple bug bounties through meticulous triaging.
• 8. ‘Psychic Signatures in Java’ by Neil Madden exploited the number 0 to forge ECDSA signatures, undermining the cryptographic integrity of essential web technologies like JWT and SAML.
• 9. ‘Practical client-Side Path Traversal Attacks’ by Medi highlights an overlooked vulnerability that should be recognized independently.
• 10. ‘Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library’ by Sam Curry involved compromising various cryptocurrency platforms through XSS, SSRF, and cache poisoning stemming from Netlify’s Next.js framework.

PREVIOUS EDITION Dependency confusion tops the PortSwigger annual web hacking list for 2021