4/22/2024 0 Comments Justplay app hack 2022![]() We also appreciate how Jacopo Tediosi throws some rare light into the world of pain people using advanced techniques can encounter when trying to get their bug bounty reports triaged. Three years later, Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes makes use of this concept for massive impact and a whole lot of bug bounties, establishing the technique as essential knowledge for web hackers and server implementers alike. 7 - Worldwide Server-side Cache Poisoning on All Akamai Edge Nodesīack in 2019, one of the nominations for the top 10 was an article theorising about the exploitation potential of HTTP hop-by-hop headers, and calling for further research on the topic. This use of an ancient crypto attack to topple modern web tech is a great reminder that you don't always need a complex attack to achieve massive impact - and as nice as abstractions are, sometimes it's worth looking further down the stack. The catchily-named Psychic Signatures in Java by Neil Madden shows a critical and really very simple attack using the number 0 to forge ECDSA signatures, undermining the cryptographic foundation of numerous core web technologies including JWT and SAML. This cousin of client-side parameter pollution has already inspired a follow-up that uses it for CSRF, and we're sure more will come. This behaviour has surfaced in exploit chains a few times over the years but this post shows it's time to recognise it as a vulnerability in its own right. In Practical client-side path-traversal attacks, Medi explores a website behaviour that's very common - placing user input inside a request path - and demonstrates a clear pathway to real impact. Sometimes a vulnerability class can be quite visible, but remain overlooked for years due to low apparent severity. 9 - Practical client-side path-traversal attacks We're eager to see if the methodology and cryptocurrency ecosystem insights fuel further discoveries in this field. In Exploiting Web3's Hidden Attack Surface, Sam Curry and Shubham Shah tear apart numerous cryptocurrency sites with a blend of XSS, SSRF and cache poisoning originating from Netlify's Next.js library. Let's take a closer look! 10 - Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js LibraryĪs we find ways to shovel ever more complexity into our software, even websites that look static can hide serious vulnerabilities. If you're hungry for knowledge, I highly recommend reading the entire nomination list.įrom the final ten, two key themes stand out - single-sign on, and request smuggling. ![]() It's great to see the research ecosystem flourishing, even if it makes it harder to select a top ten!īefore we begin the countdown, I should note that any attempt to compress a year of research into a top ten list is going to leave valuable techniques overlooked. While outright novel techniques and class-breaks have gotten rarer, there's more people pushing at the boundaries and sharing their findings than ever. This year, for the third year running, there's been a noticeable improvement in the number of quality nominations. As usual, we haven't excluded our own research, but panellists can't vote for anything they're affiliated with. Over the last two weeks, an expert panel of researchers Nicolas Grégoire, Soroush Dalili, Filedescriptor, and myself have analysed, conferred and voted on the 15 finalists, to bring you the final top 10 new web hacking techniques of 2022. Since publishing our call for nominations in January, you've submitted a record 46 nominations, and cast votes to single out 15 final-round candidates. Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last year. Director of 08 February 2023 at 14:20 UTC
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |