Hacker News new | past | comments | ask | show | jobs | submit login
An overview of the top web hacking techniques of 2017 (portswigger.net)
144 points by albinowax_ 5 months ago | hide | past | web | favorite | 11 comments

I know this is a teensy bit on the late side - this is our first year after taking it over from WhiteHat. Anyway hopefully it's a valuable introduction to some new threats that everyone doing stuff related to websites should be aware of.

Some of these are vulnerabilities, some of these are techniques, some of these are general security topics.

The list doesn't really match up with the title.

The content, however, is worth sharing.

Good to hear you like the content. Regarding the title, yeah it's a tricky one to name. Ultimately the top few are new techniques illustrated using vulnerabilities, and all the entries are evaluated through the lens of whether the underlying technique can be adapted and applied to other systems.

Admittedly, Cloudbleed is a bit of a weird one. But I like it for that.

That page completely freezes my browser for about 30 seconds. Safari 12.0 on macOS 10.14.

Thanks for the heads up, I'll pass that on.

The blog version of regilero's HTTP smuggling is a really good read.


I've read the first of the list (#10), and I'm skeptical this "top web technique" has ever been used in the wild.

The blog post starts with a few obvious errors. OPcache is parts of PHP since [PHP 5.5](http://php.net/manual/en/opcache.installation.php), not PHP7. And "PHP7 by Rasmus Lerdof" is almost a joke: he was certainly not a top contributor to this iteration. These errors are not important _per se_, but they point to an overall lack of quality, and suggest no one reviewed before publication.

The article is not very clear about the vectors one needs to attack. Here is the list:

1. A non-standard configuration that enables file cache in OPcache. Very improbable.

2. An access to the result of phpinfo() which gives many sensible details about the PHP instance.

3. A security breach allowing the attacker to upload files into the cache path without restriction on the file name.

4. The URL to a PHP file that received no HTTP query since the PHP server started. The alternative is a configuration that disables in-memory caching in OPcache, but that would be far too contrived.

When the server has all these vulnerabilities but uses write-protected PHP files, then you can hack OPcache for remote code execution.

If you want to write off the entire post by looking at a single entry, I can see why you'd pick #10 which is the lowest ranked one.

It's clearly not as widespread as Tickettrick or as proven as Advanced Flash Vulnerabilities, which is why it's ranked lower. But it's a neat trick which I suspect is likely to be applicable to similar technologies in the future.

Much of the scariest XSS (aka, most difficult to prevent) comes from the DOM these days.

Edge, FF and Chrome don't follow the spec as well as they should, and the result is a lot of minor browser incompatibilities that are very hard to detect and fix.

Each browser is making modifications to the DOM spec, many of whom make introducing XSS and XSRF into a web app very easy.

Deep DOM and JS knowledge is a must have for pen testers these days.

What's an example of a modification to DOM spec that introduces vulnerabilities? I'm not sure I'm familiar with any.

in MS Edge

document.cookie = 'secret=123'; const parser = new DOMParser(); const html = parser.parseFromString('', 'text/html'); console.log(html.cookie);

prints secret=123 because of an improperly implemented inheritance model. other browsers do NOT inherit cookies from main document as a result of following the spec closer

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact