
An overview of the top web hacking techniques of 2017 - albinowax_
https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017
======
albinowax_
I know this is a teensy bit on the late side - this is our first year after
taking it over from WhiteHat. Anyway hopefully it's a valuable introduction to
some new threats that everyone doing stuff related to websites should be aware
of.

~~~
CiPHPerCoder
Some of these are vulnerabilities, some of these are techniques, some of these
are general security topics.

The list doesn't really match up with the title.

The content, however, is worth sharing.

~~~
albinowax_
Good to hear you like the content. Regarding the title, yeah it's a tricky one
to name. Ultimately the top few are new techniques illustrated using
vulnerabilities, and all the entries are evaluated through the lens of whether
the underlying technique can be adapted and applied to other systems.

Admittedly, Cloudbleed is a bit of a weird one. But I like it for that.

------
arayh
The blog version of regilero's HTTP smuggling is a really good read.

[http://regilero.github.io/security/english/2015/10/04/http_s...](http://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/)

------
idoubtit
I've read the first of the list (#10), and I'm skeptical this "top web
technique" has ever been used in the wild.

The blog post starts with a few obvious errors. OPcache is parts of PHP since
[PHP
5.5]([http://php.net/manual/en/opcache.installation.php](http://php.net/manual/en/opcache.installation.php)),
not PHP7. And "PHP7 by Rasmus Lerdof" is almost a joke: he was certainly not a
top contributor to this iteration. These errors are not important _per se_,
but they point to an overall lack of quality, and suggest no one reviewed
before publication.

The article is not very clear about the vectors one needs to attack. Here is
the list:

1\. A non-standard configuration that enables file cache in OPcache. Very
improbable.

2\. An access to the result of phpinfo() which gives many sensible details
about the PHP instance.

3\. A security breach allowing the attacker to upload files into the cache
path without restriction on the file name.

4\. The URL to a PHP file that received no HTTP query since the PHP server
started. The alternative is a configuration that disables in-memory caching in
OPcache, but that would be far too contrived.

When the server has all these vulnerabilities but uses write-protected PHP
files, then you can hack OPcache for remote code execution.

~~~
albinowax_
If you want to write off the entire post by looking at a single entry, I can
see why you'd pick #10 which is the lowest ranked one.

It's clearly not as widespread as Tickettrick or as proven as Advanced Flash
Vulnerabilities, which is why it's ranked lower. But it's a neat trick which I
suspect is likely to be applicable to similar technologies in the future.

------
CryoLogic
Much of the scariest XSS (aka, most difficult to prevent) comes from the DOM
these days.

Edge, FF and Chrome don't follow the spec as well as they should, and the
result is a lot of minor browser incompatibilities that are very hard to
detect and fix.

Each browser is making modifications to the DOM spec, many of whom make
introducing XSS and XSRF into a web app very easy.

Deep DOM and JS knowledge is a must have for pen testers these days.

~~~
yathern
What's an example of a modification to DOM spec that introduces
vulnerabilities? I'm not sure I'm familiar with any.

~~~
CryoLogic
in MS Edge

document.cookie = 'secret=123'; const parser = new DOMParser(); const html =
parser.parseFromString('', 'text/html'); console.log(html.cookie);

prints secret=123 because of an improperly implemented inheritance model.
other browsers do NOT inherit cookies from main document as a result of
following the spec closer

