OAuth ‘masterclass’ crowned top web hacking technique of 2022

Highlighting the importance of single sign-on and request smuggling, the previous year proved to be exceptional for research in web security.

Frans Rosén, founder of Detectify, achieved recognition for his work on ‘Account hijacking using dirty dancing in sign-in OAuth-flows,’ which topped PortSwigger’s top 10 web hacking techniques of 2022.

The research, published in July, was praised by PortSwigger director of research James Kettle as a “masterclass in chaining OAuth quirks with low-impact URL-leak gadgets” in a blog post revealing the results on February 8.

Kettle noted, “Many of these bugs would previously have been dismissed as having no significant security impact, so they’ve had years to proliferate.”

DON’T MISS Top 10 web hacking techniques of 2022

Kettle commended Rosén for delivering “an outstanding piece of research that we expect to yield fruit for years to come.”

In an interview, Rosén expressed gratitude for his achievement: “I am really thankful and humble to end up in first place among so many great researchers and their awesome posts throughout the year.”

He further shared, “This year, I took a different approach by exploring a subject without starting with a single bug; it was merely an idea.”

READ MORE ‘Dirty dancing’ in OAuth: Researcher reveals how cyber-attacks can lead to account hijacking

Rosén thanked PortSwigger for acknowledging those in the industry who publicize their findings and methodologies: “This, in my view, is one of the best ways to progress the industry.”

Rosén was awarded the top spot by a panel of industry experts including Nicolas Grégoire, Soroush Dalili, Filedescriptor, and Kettle himself.

A New Era of HTTP Request Smuggling

Kettle himself won the silver medal for the second consecutive year and also secured sixth place for separate research showcased at Black Hat USA regarding HTTP header injection (note: panellists could not vote for their own work).

After his second-place finish in the 2021 rankings with ‘HTTP/2: The Sequel is Always Worse’, Kettle’s latest research impressed by exploring novel HTTP request smuggling vectors that compromised targets, including Amazon and Apache, effectively transitioning the attack client-side into victims’ browsers.

RELATED Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Kettle described this research as “seriously technically challenging,” which led one judge to exclaim, “The creativity from desync worm to client-side desync is unparalleled.”

Kettle anticipates that request smuggling will continue to be a prolific source of novel threats until “HTTP/1 has been completely phased out.”

Memcache Injection and Zimbra Insights

In third place, Google’s Simon Scannell uncovered a memcached injection vulnerability in the webmail platform Zimbra, allowing attackers to poison victims’ caches and extract cleartext credentials.

READ MORE Business email platform Zimbra patches memcached injection flaw that jeopardizes user credentials

Kettle highlighted that this research, which also utilized request smuggling, underscored the significance of deep knowledge about a target.

Scannell, who was affiliated with Sonar at the time, noted in his findings: “By continuously injecting more responses than work items into Memcached’s shared response streams, we can compel random lookups to utilize injected responses instead of the correct ones.”

Advancing Boundaries in Research

The 16th annual edition of PortSwigger’s top 10 web hacking techniques received a record number of 46 nominations, which were narrowed down to 15 finalists based on voting from the infosec community.

Kettle remarked that while “outright novel techniques and class-breaks have become less common,” he observed that more researchers are “pushing at the boundaries and sharing their findings than ever before.”

Here’s a quick look at the rest of the top 10 (for a detailed analysis, refer to James Kettle’s post):

• 4. ‘Hacking the Cloud with SAML’ by Felix Wilhelm culminates in an XML document exploiting an integer truncation bug to enable arbitrary bytecode execution.
• 5. ‘Bypassing .NET Serialization Binders’ by Markus Wulftange introduced vulnerabilities in the DevExpress framework and Microsoft Exchange that opened the door to remote code execution.
• 6. ‘Making HTTP header injection critical via response queue poisoning’ by James Kettle revisited the long-ignored response-splitting tactic with a high-impact case study.
• 7. ‘Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes’ by Jacopo Tediosi utilized HTTP hop-by-hop headers to secure numerous bug bounties.
• 8. ‘Psychic Signatures in Java’ by Neil Madden exploited the number 0 to forge ECDSA signatures, undermining core web technologies like JWT and SAML.
• 9. ‘Practical client-Side Path Traversal Attacks’ by Medi illuminates an overlooked issue now recognized as a standalone vulnerability.
• 10. ‘Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library’ by Sam Curry affected various cryptocurrency sites through XSS and SSRF, with cache poisoning originating from Netlify’s Next.js library.

PREVIOUS EDITION Dependency confusion tops the PortSwigger annual web hacking list for 2021