OAuth ‘masterclass’ crowned top web hacking technique of 2022

Single sign-on and request smuggling emerged as prominent topics in another remarkable year for web security research.

Detectify founder Frans Rosén has secured the top spot in PortSwigger’s list of the most significant web hacking techniques of 2022 with his work on ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

Published in July, Rosén’s research was recognized by PortSwigger’s director of research, James Kettle, as “a masterclass” that effectively combines unique OAuth intricacies with minimal-risk URL-leak methods, including adult postMessages, cross-site scripting (XSS), and URL storage techniques.

Kettle remarked that many vulnerabilities once considered negligible had proliferated unnoticed and were now potent threats.

DON’T MISS Top 10 web hacking techniques of 2022

Kettle commended Rosén for his outstanding research that is likely to have a lasting impact on the field.

In an interview with The Daily Swig, Rosén expressed gratitude for being recognized among distinguished researchers and contributors.

Reflecting on his process, he shared that he embarked on exploring the topic without any initial findings, driven solely by a concept he envisioned.

READ MORE ‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Rosén also highlighted the importance of publicly sharing discoveries to advance the industry.

Rosén was awarded first place by a panel that included experts like Nicolas Grégoire and Soroush Dalili.

A New Era of HTTP Request Smuggling

James Kettle claimed the silver medal once again, alongside a sixth-place honor for his independent research on HTTP header injection showcased at Black Hat USA.

After previously ranking second in 2021 for ‘HTTP/2: The Sequel is Always Worse’, Kettle made waves by utilizing innovative HTTP request smuggling techniques to infiltrate systems such as Amazon and Apache, ultimately affecting client-side functions.

RELATED Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

This groundbreaking research was described as technically demanding and has paved the way for new methodologies in exploiting vulnerabilities.

Kettle foresaw that the emergence of request smuggling would continue to present new challenges until HTTP/1 is fully phased out.

Memcached Vulnerabilities and Zimbra

In third place, Simon Scannell from Google uncovered a memcached injection vulnerability in the Zimbra platform, exposing users to potential credential theft.

READ MORE Business email platform Zimbra patches memcached injection flaw that imperils user credentials

Kettle acknowledged Scannell’s work for showing the significance of a deep understanding of targets in the security landscape.

In his research, Scannell elaborated on the strategy of injecting multiple responses to exploit memcached vulnerabilities.

Pushing the Boundaries of Security

This year’s edition of PortSwigger’s top web hacking techniques received a record 46 nominations, which were narrowed down to 15 finalists by the information security community’s votes.

Kettle remarked on the evolving nature of security research, noting a trend towards more researchers pushing the limits and sharing their discoveries widely.

Here is a brief overview of the remaining top 10 techniques (for a detailed analysis, refer to Kettle’s post):

• 4. ‘Hacking the Cloud with SAML’ by Felix Wilhelm – focuses on XML document exploitation, leading to arbitrary bytecode execution.
• 5. ‘Bypassing .NET Serialization Binders’ by Markus Wulftange – highlighted vulnerabilities in the DevExpress framework and Microsoft Exchange, paving the way for remote code execution.
• 6. ‘Making HTTP header injection critical via response queue poisoning’ by James Kettle – revisited response-splitting techniques with a major case study.
• 7. ‘Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes’ by Jacopo Tediosi – targeted HTTP hop-by-hop headers, resulting in several bug bounties.
• 8. ‘Psychic Signatures in Java’ by Neil Madden – demonstrated a critical vulnerability in core web technologies, enabling signature forgery.
• 9. ‘Practical client-Side Path Traversal Attacks’ by Medi – brought attention to overlooked vulnerabilities within web applications.
• 10. ‘Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library’ by Sam Curry – compromised various cryptocurrency platforms through XSS, SSRF, and cache vulnerabilities.

PREVIOUS EDITION Dependency confusion tops the PortSwigger annual web hacking list for 2021