PortSwigger Web Security’s annual Top 10 Web Hacking Techniques list has been announced, with dependency confusion attacks crowned the number one technique seen in 2021.
In first place for the 2021 top 10 came the dependency confusion attack from researcher Alex Birsan, who used the technique to gain access to Apple, Microsoft, and other high-profile companies.
He revealed details of the novel supply chain attack after undergoing a disclosure process with the impacted vendors.
The attack
Dependency confusion occurs when an attacker is able to execute malware on a company’s network by overriding privately used software packages – so-called ‘dependencies’ – with malicious, public packages of the same name.
Birsan used this technique to upload malicious code to public RubyGems and Python packages, porting it into the dependencies.
He was able to breach the internal systems of the above mentioned organizations, as well as Shopify, Netflix, Yelp, Tesla, and Uber – earning a $130,000 bug bounty payout in the process.
In addition, dependency confusion flaws were detected inside more than 35 organizations. Birsan added that the “vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations”.
Read more about 2021’s top rated attack technique here.
Second place
Coming in at number two was research from PortSwigger’s James Kettle, ‘HTTP/2: The Sequel is Always Worse’, which was independently submitted and voted for by the Top 10 panel.
Kettle, who previously demonstrated fresh insight into HTTP request smuggling attacks, found that despite upgrading to HTTP/2, many sites were still vulnerable to smuggling attacks due to the fact that they rewrote requests in order to talk to the backend server.
The researcher calls this ‘HTTP2 downgrading’ and was able to use the attack to scoop a $20,000 bug bounty from Netflix, among others.
“Netflix was using the Netty Java library for their HTTP/2 support and that library forgot to verify that the Content-Length was correct,” Kettle previously told The Daily Swig.
By exploiting this flaw, an attacker could redirect users to their own website, achieve persistent JavaScript execution on Netflix’s core website, or hijack user accounts en masse.
You can find out more about each of the attacks here.
Speaking to The Daily Swig, James Kettle said that this year’s top 10 was “more tightly spaced than usual”.
The researcher added: “We had a suspicion dependency confusion would do well in the community vote, because it got independently nominated five times. We also saw less attempted ballot-stuffing in the community vote than usual.
“As mentioned in the post, the key theme was request smuggling. The volume of research on this topic made ranking a bit tricky as some new techniques were independently discovered multiple times.”