Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year.
欢迎来到 2023 年 10 大 Web 黑客技术,这是我们年度社区支持努力的第 17 版,旨在确定去年发表的最具创新性的必读 Web 安全研究。
This year, in response to our call for nominations the community submitted a record 68 entries, and cast votes to select 15 finalists. The finalists were then analysed over two weeks and voted on by an expert panel of researchers Nicolas Grégoire, Soroush Dalili, Filedescriptor, and myself to select the top ten new web hacking techniques of 2023! As usual, we haven’t excluded our own research, but panellists can’t vote for anything they’re affiliated with.
今年,为了响应我们的提名号召,社区提交了创纪录的 68 个参赛作品,并投票选出了 15 个决赛入围者。然后对决赛入围者进行了为期两周的分析,并由研究人员 Nicolas Grégoire、Soroush Dalili、Filedescriptor 和我本人组成的专家小组投票选出 2023 年十大新的网络黑客技术!像往常一样,我们没有排除我们自己的研究,但小组成员不能投票支持他们所属的任何内容。
The standard of competition has once again been extremely fierce, with many posts I personally rate failing to even survive the community vote. I highly recommend that everyone with time to spare peruse the entire nomination list, and we’ve added AI-generated summaries for every entry to help you evaluate which ones to dive into.
竞争标准再次变得非常激烈,我个人评价的许多帖子甚至未能在社区投票中幸存下来。我强烈建议每个有空闲时间的人都仔细阅读整个提名名单,我们为每个参赛作品添加了人工智能生成的摘要,以帮助您评估哪些条目值得深入研究。
With all that said, let’s start the countdown!
说了这么多,让我们开始倒计时吧!
10. can I speak to your manager? hacking root EPP servers to take control of zones
10. 我可以和你们的经理谈谈吗?入侵根 EPP 服务器以控制区域
In tenth place, we have a beautiful insight into some overlooked and incredibly valuable attack-surface. In can I speak to your manager? hacking root EPP servers to take control of zones, Sam Curry, Brett Buerhaus, Rhys Elsmore, and Shubham Shah give us a timeless lesson that critical internet infrastructure can be shockingly fragile, and the easiest route to hack something might be many layers away.
排在第十位的是,我们对一些被忽视但非常有价值的攻击面有了很好的了解。我可以和你们的经理谈谈吗?Sam Curry、Brett Buerhaus、Rhys Elsmore 和 Shubham Shah 入侵根 EPP 服务器以控制区域,这给了我们一个永恒的教训,即关键的互联网基础设施可能非常脆弱,而破解某些东西的最简单途径可能要多层。
9. Cookie Crumbles: Breaking and Fixing Web Session Integrity
9. Cookie 崩溃:破坏和修复 Web 会话完整性
In ninth, Cookie Crumbles: Breaking and Fixing Web Session Integrity takes a harsh look at the state of web cookies from numerous angles. One standout technique is CSRF token fixation – a cousin of session fixation, which they use to exploit numerous authentication libraries, notably including popular PHP framework Symfony. If you want to perform a CSRF attack in 2024, read this paper. Excellent work from Marco Squarcina, Pedro Adão, Lorenzo Veronese and Matteo Maffei.
在第九章中,Cookie Crumbles: Breaking and Fixing Web Session Integrity 从多个角度对 Web Cookie 的状态进行了严厉的审视。一个突出的技术是 CSRF 令牌固定 – 会话固定的表亲,他们使用它来利用众多身份验证库,特别是包括流行的 PHP 框架 Symfony。如果您想在 2024 年执行 CSRF 攻击,请阅读本文。Marco Squarcina、Pedro Adão、Lorenzo Veronese 和 Matteo Maffei 的出色作品。
8. From Akamai to F5 to NTLM… with love.
8. 从 Akamai 到 F5 再到 NTLM…充满爱。
In eighth place, From Akamai to F5 to NTLM… with love offers proof that HTTP Desync Attacks still haunt the internet. D3d’s deadvolvo’s work stands out thanks to a rich exploration of the research thought process, sharing the whole journey and capturing the sheer scope and impact of this bug class. Both vulnerable server vendors refuse to pay bounties, and instead rely on their exposed customers paying out bounties to incentivize this kind of research, which creates some interesting dynamics. Best not to think about it.
排在第八位的是,从Akamai到F5再到NTLM……with love 证明了 HTTP Desync 攻击仍然困扰着互联网。D3d 的 deadvolvo 的工作脱颖而出,这要归功于对研究思维过程的丰富探索,分享了整个旅程并捕捉了这个错误类别的绝对范围和影响。两家易受攻击的服务器供应商都拒绝支付赏金,而是依靠暴露的客户支付赏金来激励这种研究,这创造了一些有趣的动态。最好不要去想它。
7. How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
7. 我如何入侵 Microsoft Teams 并在 Pwn2Own 中获得 150,000 美元
How I Hacked Microsoft Teams takes you through the conception and development of a $150,000 exploit chain. This presentation by Masato Kinugawa is meticulously crafted to let the reader rediscover the exploit themselves, so I won’t spoil it by describing the techniques involved. Rather than introducing a novel class of attack, it’s a holistic insight into his innovative approach to bypassing protections. I’d recommend everyone read it, but it’s particularly worth reading if you want to find non-trivial bugs in Electron applications.
How I Hacked Microsoft Teams将带您了解价值15万美元的漏洞利用链的概念和开发。Masato Kinugawa 的这个演讲经过精心制作,让读者自己重新发现漏洞,所以我不会通过描述所涉及的技术来破坏它。与其说它引入了一种新型的攻击方式,不如说这是对他绕过保护的创新方法的全面洞察。我建议大家阅读它,但如果你想在 Electron 应用程序中找到重要的错误,它特别值得一读。
6. HTTP Request Splitting vulnerabilities exploitation
6. HTTP 请求拆分漏洞利用
It’s easy to under-estimate the scope of HTTP Request Splitting because frankly, it shouldn’t exist in any mainstream server in 2023. However, nginx apparently thinks otherwise, making this vulnerability a common and high-impact goldmine for hackers. In HTTP Request Splitting vulnerabilities exploitation, Sergey Bobrov provides a broad range of case-studies showing creative pathways to maximum impact. You can expect this to remain valuable until nginx changes their position, or HTTP/1.1 fades out of existence. I’ll write them an email.
很容易低估 HTTP 请求拆分的范围,因为坦率地说,它不应该存在于 2023 年的任何主流服务器中。然而,nginx 显然不这么认为,这使得这个漏洞成为黑客常见且影响很大的金矿。在《HTTP 请求拆分漏洞利用》一书中,谢尔盖·博布罗夫(Sergey Bobrov)提供了广泛的案例研究,展示了实现最大影响的创造性途径。你可以期望它仍然有价值,直到 nginx 改变它们的位置,或者 HTTP/1.1 消失。我会给他们写一封电子邮件。
5. Exploiting HTTP Parsers Inconsistencies
5. 利用 HTTP 解析器不一致
In fifth place, Exploiting HTTP Parsers Inconsistencies by Rafael da Costa Santos takes familiar parser confusion techniques and reapplies them in new contexts, discovering ACL bypasses, SSRF, cache poisoning, and of course WAF bypasses. It takes serious skill to make research look this easy.
排在第五位的是 Rafael da Costa Santos 的 Exploiting HTTP Parsers Inconsistencyencies,它采用了熟悉的解析器混淆技术,并在新的上下文中重新应用它们,发现了 ACL 绕过、SSRF、缓存中毒,当然还有 WAF 绕过。要使研究看起来如此简单,需要认真的技巧。
4. PHP filter chains: file read from error-based oracle
4. PHP筛选器链:从基于错误的 Oracle 读取文件
In 2022, hash_kitten invented an extremely creative technique to leak the contents of files by repeatedly using PHP filters to trigger conditional out-of-memory exceptions, but the community struggled to replicate it and the technique largely escaped attention. In PHP filter chains: file read from error-based oracle, Rémi Matasse gives this amazing technique the in-depth explanation, optimisations, and accompanying toolkit that it so badly deserves. This technique is fascinating and we’re intrigued to see if it gets taken further in PHP or other languages.
2022 年,hash_kitten发明了一种极具创意的技术,通过反复使用 PHP 过滤器触发条件性内存不足异常来泄露文件内容,但社区难以复制它,该技术在很大程度上逃脱了人们的注意。在 PHP filter chains: file read from error-based oracle 一书中,Rémi Matasse 对这种惊人的技术进行了深入的解释、优化和随附的工具包,这是它非常值得的。这种技术很吸引人,我们很想知道它是否能在PHP或其他语言中得到进一步发展。
3. SMTP Smuggling – Spoofing E-Mails Worldwide
3. SMTP走私 – 全球欺骗电子邮件
In well-earned third place comes SMTP Smuggling – Spoofing E-Mails Worldwide by Timo Longin. This research continues the parser discrepancy storm by adapting HTTP request smuggling techniques to exploit SMTP instead. It contains all the hallmarks of outstanding research: innovative ideas, high-impact case-studies targeting well-known software, in-depth explanations, tools, and ample potential for further research. We think it could serve as a solid foundation for identifying smuggling issues in different protocols or even for discovering additional techniques within SMTP itself. It also offers a clear lesson; if you’re using a text-based protocol with multiple parsers, beware!
排在第三位的是Timo Longin的SMTP走私 – 全球欺骗电子邮件。本研究通过调整 HTTP 请求走私技术来利用 SMTP 来继续解析器差异风暴。它包含杰出研究的所有特征:创新的想法、针对知名软件的高影响力案例研究、深入的解释、工具以及进一步研究的充足潜力。我们认为它可以作为识别不同协议中的走私问题,甚至发现SMTP本身的其他技术的坚实基础。它还提供了一个明确的教训;如果您使用的是基于文本的协议和多个解析器,请注意!
Massive congrats to Timo Longin and SEC Consult for this contribution to internet security!
衷心祝贺Timo Longin和SEC Consult为互联网安全做出的贡献!
2. Exploiting Hardened .NET Deserialization
2. 利用强化的 .NET 反序列化
Exploiting Hardened .NET Deserialization by Piotr Bazydło provides an absolute deserialization masterclass. The introduction lays out the goal: “show that targets that appear not to be exploitable, may be in fact vulnerable”. The subsequent 100 pages achieve it. Invest your time in these pages and they will reward you by destroying any faith you might have had in blocklist-based deserialization mitigations, and equipping you with the means to personally get that RCE. It’s available as a conference presentation too. Highlights for the panel included the beautiful gadgets CredentialIntializer and SettingsPropertyValue, and the insecure serialization attack on the the deserialize->serialize pattern.
Piotr Bazydło 的 Exploiting Hardened .NET Deserialization 提供了一个绝对的反序列化大师班。引言阐述了目标:“表明看似不可利用的目标实际上可能是易受攻击的”。随后的 100 页实现了这一点。在这些页面上投入您的时间,它们将通过摧毁您对基于阻止列表的反序列化缓解措施的任何信心来奖励您,并为您提供亲自获得 RCE 的方法。它也可以作为会议演示文稿使用。该小组的亮点包括漂亮的小工具 CredentialIntializer 和 SettingsPropertyValue,以及对 deserialize->serialize 模式的不安全序列化攻击。
This is an outstanding contribution to the community from Piotr Bazydło and Trend Micro ZDI – awesome work!
这是 Piotr Bazydło 和 Trend Micro ZDI 对社区的杰出贡献 – 了不起的工作!
1. Smashing the state machine: the true potential of web race conditions
1. 粉碎状态机:网络竞争条件的真正潜力
Well, this is awkward. I always knew there was a risk to rating research when I also publish it myself, and after seven years it’s happened – I now have to declare that my own research is the best. Next year I’m going to figure out a strategy for reclaiming some resemblance of integrity but for now, let’s hear from the rest of the panel:
嗯,这很尴尬。我一直都知道,当我自己发表研究时,对研究进行评级是有风险的,七年后,这种情况发生了——我现在必须宣布我自己的研究是最好的。明年,我将制定一个策略来恢复一些相似的完整性,但现在,让我们听听小组其他成员的意见:
In recent years, there was not much to say about web race conditions – testers have a good idea where they are, establish whether they work or not, and move on. Not anymore. Smashing the state machine by James Kettle highlights previously overlooked aspects of race condition attacks in everyday applications. It focuses on the multi-step aspect of race condition attacks to achieve greater impact, and adapts recent techniques abusing the latest HTTP stacks to maximise exploitability. Although executing some of these attacks may prove challenging, I believe this research holds great potential for the future!
近年来,关于网络竞赛条件没有太多可说的——测试人员很清楚他们在哪里,确定他们是否有效,然后继续前进。现在不是了。James Kettle 的《粉碎状态机》强调了以前在日常应用中被忽视的竞争条件攻击方面。它专注于竞争条件攻击的多步骤方面,以实现更大的影响,并采用滥用最新 HTTP 堆栈的最新技术,以最大限度地提高可利用性。尽管执行其中一些攻击可能具有挑战性,但我相信这项研究在未来具有巨大的潜力!
Conclusion 结论
2023 saw the security community publish a huge quantity of quality research, resulting in fierce competition in both the community vote and the panel vote phases.
2023 年,安全社区发表了大量高质量的研究,导致社区投票和小组投票阶段的竞争非常激烈。
The community engagement is what gives this project spark so if you have opinions about our rankings, or would simply like to share your personal top ten, feel free to post them and tag us on X/Mastodon/LinkedIn. One thing we can all agree on is that any possible selection of ten winners from 78 nominations is going to leave a lot of good techniques behind so it’s well worth revisiting the nomination list too!
社区参与是这个项目的火花,所以如果你对我们的排名有意见,或者只是想分享你的个人前十名,请随时发布它们并在X / Mastodon / LinkedIn上标记我们。我们都同意的一件事是,从 78 项提名中选出 10 名获奖者的任何可能都会留下很多好的技术,因此也非常值得重新审视提名名单!
Part of what lands an entry in the top 10 is its expected longevity, so it’s well worth getting caught up with past year’s top 10s too. If you’re interested in getting a preview of what might win from 2024, you can subscribe to our RSS, join r/websecurityresearch, or follow us on social. If you’re interested in doing this kind of research yourself, I’ve shared a few lessons I’ve learned over the years in Hunting Evasive Vulnerabilities, and So you want to be a web security researcher?
进入前 10 名的部分原因是它的预期寿命,因此去年的前 10 名也非常值得一看。如果您有兴趣预览 2024 年可能获胜的内容,您可以订阅我们的 RSS,加入 r/websecurityresearch,或在社交媒体上关注我们。如果你有兴趣自己做这种研究,我已经分享了我多年来在《寻找规避漏洞》中学到的一些经验教训,所以你想成为一名网络安全研究人员吗?
Thanks again to everyone who took part! Without your nominations, votes, and most-importantly research, this wouldn’t be possible.
再次感谢所有参与的人!没有您的提名、投票和最重要的研究,这是不可能的。
Till next time! 下次再见!
原文始发于James Kettle:Top 10 web hacking techniques of 2023
相关文章
