A novel alternative to traditional HTTP request smuggling that spotlighted an obsolete, hitherto obscure protocol has been recognized as 2020’s top web hacking technique.
Unveiled by Bishop Fox researchers in September, HTTP/2 cleartext (H2C) smuggling “abuses H2C-unware front-ends to create a tunnel to backend systems, enabling attackers to bypass frontend rewrite rules and exploit internal HTTP headers,” explains James Kettle, head of research at PortSwigger Web Security*, in the company’s rundown of 2020’s most impressive web hacking techniques.
“Conceptually similar” to, but “significantly more practical” than, last year’s WebSocket smuggling, “request tunnelling exploitation is an emerging art so this one may be a slow burn, but we anticipate some serious carnage in future,” continues Kettle.
Claiming silver medal in the top 10 web hacking techniques, which landed today (February 24) following a community vote and final verdict by an expert panel, is research from fellow PortSwigger researcher Gareth Heyes that breaks new ground in PDF exploitation.
In Portable Data exFiltration, Heyes “tackles the format and stretches PDF parsers to go from PDF link injection to document theft, JavaScript execution and SSRF”, says Kettle, who noted that he did not vote for his colleague’s technique, given the obvious conflict of interest.
Bronze position was taken by British bug hunter Sam Curry, who exploited the “entangled mess of proxies, load balancers, and micro services” powering modern websites in his research, ‘Attacking secondary contexts in web applications’.
Kettle said Curry’s “exceptional clarity” and “numerous case studies make this an outstanding, must-watch presentation for newbies and experts alike”.
Farewell SQLi?
“Once again we’re seeing a nice overview of novel techniques discovered by quality research, showing that despite significant improvements in secure development practices and supporting frameworks there are still numerous ways in which applications fail,” Wim Remes, founder and CEO of Belgian infosec firm Wire Security, tells The Daily Swig.
While countless other sectors have had to adapt their business model in response to the Covid-19 pandemic, offensive web security research is continually being forced to evolve in response to ongoing improvements to application security.
Michał Bentkowski, chief security researcher at Polish cybersecurity outfit Securitum, tells The Daily Swig: “Most of the entries don’t present a completely new or novel attack technique but rather an improvement to an already known one.
“I think that this proves that ‘classic’ web application vulnerabilities like SQL Injection, XXE etc. are getting rarer and rarer, thus attackers and researchers need to come up with more and more sophisticated methods to exploit the vulnerabilities.”
Bishop Fox researchers unveiled their H2C smuggling research in September 2020
While applications themselves are becoming more secure, the increasingly multifaceted layers below are creating opportunities for innovative researchers.
“Most attacks don’t touch the web application directly but the layers below it: reverse proxies, caches, routers, TLS, HTTP/2, etc,” explains Bentkowski. “I believe that this trend is going to continue, given the complexity of webapps is increasing.”
Remes makes a similar point: “The cloud makes everything easier, or so it seems,” he says.
“With the advent of serverless computing, we risk [losing] insight into the extremely abstracted layers that allow our applications to run. This includes proxies, load balancers, web application firewalls, and all of the very complex functions they provide.
“Understanding what those components do, how they impact our applications, and – most importantly – what they do not do, is critical to developing a threat model for your application or infrastructure.”
DevOps sandbox
According to Remes, the emergence of DevOps as “the preferred way of running software factories” is reflected in the top 10’s composition.
“Some of the weaknesses have moved from the code to the infrastructure and supporting components,” he says. “Managing how your code interacts with all the different components and how they contribute to your attack surface should be of the utmost priority.”
Looking ahead to the rest of 2021, Bentkowski notes the inclusion of only one client-side attack, Heyes’s ‘XSS for PDFs’ piece.
“These attacks seem to be undervalued, especially in a world where almost all sensitive data is processed via the browser! I hope that this year will see more novel attacks in this area.”
Remes adds: “I’m impressed that in a year like 2020, where everybody has been put under extreme stress, the output from our community, that is so committed to sharing knowledge, has been exemplary.
“We should always remember that the best defenders out there rely on this information to continuously improve their protective mechanisms.
“It is much too easy to see the disclosure of novel techniques as counterproductive. I’d like to close by paraphrasing Prince: ‘Like books and black lives, offensive research still matters’.”