Web hacking techniques of 2024

1.??? Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

Bypassing HTML sanitizers using parsing differentials to exploit mutation-based XSS vulnerabilities.

2.??? Efficient Detection of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction

Using a bottom-up approach to more efficiently detect Java deserialization gadget chains and leveraging data flow dependencies for payload generation.

3.??? DoubleClickjacking: A New Era of UI Redressing

DoubleClickjacking exploits the timing gap between mousedown and onclick events to bypass clickjacking protections and hijack user actions.

4.??? MSSQL Identified as Vulnerable to Emoji String Exploitation

Exploiting Unicode collation logic discrepancies in MSSQL to treat a goblin emoji as an empty string, enabling brute-force attacks.

5.??? Teaching the Old .NET Remoting New Exploitation Tricks

Bypassing .NET Remoting security by leveraging XAML parsing to perform deserialization attacks that create privileged objects like WebClient for remote code execution despite TypeFilterLevel.Low and CAS restrictions.

6.??? JNDI Injection Remote Code Execution via Path Manipulation in MemoryUserDatabaseFactory

JNDI injection to manipulate the pathname in MemoryUserDatabaseFactory for remote code execution via crafted XML and directory creation using BeanFactory method invocation.

7.??? CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js

Arbitrary JavaScript execution through manipulated FontMatrix in PDF.js font rendering.

8.??? MongoDB NoSQL Injection with Aggregation Pipelines

Accessing other collections via NoSQL injection in MongoDB aggregation pipelines using $lookup or $unionWith operators.

9.??? Listen to the whispers: web timing attacks that actually work

Making HTTP/2 timing attacks feasible and effective across diverse web environments by addressing network and server noise through novel techniques like single-packet sync and exploiting scoped SSRF opportunities.

10. ChatGPT Account Takeover - Wildcard Web Cache Deception

Exploiting path traversal confusion in CDN and web server URL parsing to cache sensitive API endpoints for auth token theft.

11. CORS vulnerabilities: Weaponizing permissive CORS configurations

Reflected arbitrary origins and alternate domain/subdomain trust in CORS configurations can permit unauthorized data exfiltration.

12. HTTP/2 CONTINUATION Flood: Technical Details

HTTP/2 CONTINUATION Flood attack enables denial of service by exhausting server resources with an unending stream of headers lacking an END_HEADERS flag.

13. POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows

Exploiting the javascript: pseudo-protocol with auto-submitting forms in OAuth 2.0 Form Post Response Mode and SAML POST-Binding to achieve XSS.

14. Authorization bypass due to cache misconfiguration

Authorization bypass due to short-term caching vulnerability.

15. How an obscure PHP footgun led to RCE in Craft CMS

Abusing the register_argc_argv PHP configuration to manipulate Craft CMS path handling and achieve Remote Code Execution via the FTP wrapper in Twig templates.

16. Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild

Chaining DOM Clobbering with postMessage and CSP bypasses to escalate XSS.

17. From Arbitrary File Write to RCE in Restricted Rails apps

Abusing Bootsnap's cache manipulation to execute arbitrary code in restricted Rails environments.

18. Why Code Security Matters - Even in Hardened Environments

Exploiting an arbitrary file write vulnerability in a Node.js application to achieve remote code execution by writing to pipe file descriptors exposed via procfs.

19. Devfile file write vulnerability in GitLab

Exploiting YAML parser differentials and path traversal in tar file extraction to achieve arbitrary file write in GitLab.

20. Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit

Expanding single-packet attack's capabilities by utilizing IP fragmentation and TCP sequence number reordering to exploit limit-overrun vulnerabilities.

21. Anyone can Access Deleted and Private Repository Data on GitHub

Cross Fork Object Reference (CFOR) vulnerability enables unauthorized access to sensitive data in deleted and private GitHub repositories using commit hashes.

22. Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks

CTF-focused techniques

23. Wormable XSS www.bing.com. XSS on www.bing.com context via Maps…

Wormable XSS on Bing using KML file and mixed-case JavaScript to bypass blacklist.

24. OAuth Non-Happy Path to ATO

Using multiple response_type values in Google OAuth to capture both id_token and authorization code in the URL fragment for account takeover.

25. Crashing servers with digits

Exploiting floating-point numbers with excessive digits to cause server DoS.

26. Source Code Disclosure in ASP.NET apps

Using .NET cookieless sessions to obtain source code.

27. Bench Press: Leaking Text Nodes with CSS

Leaking text node content by using CSS animations to measure character heights and exfiltrating data via image requests.

28. World of SELECT-only PostgreSQL Injections

Offline manipulation of PostgreSQL filenodes for privilege escalation and RCE.

29. Breaking Down Multipart Parsers: File upload validation bypass

Techniques to bypass multipart/form-data parsers by exploiting discrepancies in parameter handling, boundary recognition, and content validation, including duplicated parameters, omission of necessary delimiters, and alternate encoding sequences.

30. plORMbing your Django ORM

Exploiting relational filtering in Django ORM to leak sensitive data through many-to-many relationship and permission models.

31. WorstFit: Unveiling Hidden Transformers in Windows ANSI!

Exploiting Windows Best-Fit character conversion for attacks like Path Traversal, Argument Injection, and RCE across various applications.

32. Unsecure time-based secret and Sandwich Attack

Practical exploitation of time-based secrets

33. A Race to the Bottom - Database Transactions Undermining Your AppSec

Detailed analysis of patterns that enable race condition attacks on database transactions

34. Bypassing WAFs with the phantom $Version cookie

Bypassing WAFs using legacy support in cookie parsers through the $Version attribute and quoted-string encoding.

35. Ruby 3.4 Universal RCE Deserialization Gadget Chain

Developing a universal RCE deserialization gadget chain for Ruby 3.4 that leverages RubyGems autoloading, uses 'rake' and 'make' commands for execution, and suppresses exceptions using an UncaughtThrowError object.

36. User info extraction abusing placeholder injection in Zendesk

User info extraction using placeholder injection via subject-to-description sanitization bypass in Zendesk.

37. Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

Exploiting XPath vulnerabilities to bypass SAML signature validation in Ruby-SAML.

38. Lost in Translation - WAF Bypasses By Abusing Data Manipulation Processes

Abusing edge-side includes and Unicode manipulation to bypass WAF.

39. plORMbing your Prisma ORM with Time-based Attacks

Using time-based attacks on Prisma ORM to leak sensitive data by crafting queries that exploit relational filtering to cause significant execution delays.

40. Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls

Automated discovery of protocol-level evasion vulnerabilities in WAFs using a novel testing methodology that exploits parsing discrepancies between WAF and web applications.

41. Chaining Three Bugs to Access All Your ServiceNow Data

Bypassing ServiceNow's template injection mitigations via sanitized style tag content for code execution.

42. CVE-2023-5480: Chrome new XSS Vector

Exploiting Service Worker registration in JIT-installed workers for XSS via manipulated payment manifests in Chrome.

43. Using YouTube to steal your files ?

Chaining multiple open redirect vulnerabilities in YouTube and Google Docs to perform a clickjacking attack granting editor access to Google Drive files.

44. Remote Code Execution with Spring Properties

Leveraging Spring Boot's logging configuration properties to achieve remote code execution through Logback's JoranConfigurator.

45. Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepancies

Gudifu uses guided differential fuzzing to discover HTTP request parsing discrepancies that can lead to new attack vectors such as HTTP request smuggling and cache poisoning.

46. Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges

Recursive merge technique in Ruby to achieve class pollution for privilege escalation and RCE.

47. How Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

Exploiting Zendesk's lack of email spoofing safeguards to hijack ticket threads and gain unauthorized access to Slack accounts using OAuth.

48. Exploring the DOMPurify library: Bypasses and Fixes

Mutation XSS by leveraging node flattening, stack of open elements, and namespace confusion to bypass DOMPurify.

49. Splitting the email atom: exploiting parsers to bypass access controls

Exploiting email parsing discrepancies using encoded words and unicode overflows for access control bypass and potential RCE in web applications.

50. The Ruby on Rails _json Juggling Attack

The json juggling attack manipulates JSON parameters to bypass authorization in Ruby on Rails by exploiting the handling of json keys.

51. Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall

Exploiting China's DNS poisoning for subdomain takeover via Fastly or XSS via vulnerable cPanel installations.

52. Exploiting the Unexploitable Insights from the Kibana Bug Bounty

New primitives and gadgets that enable the achievement of RCE from Prototype Pollutions previously deemed unexploitable

53. Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities

Exploiting inconsistencies in PHP mbstring functions to bypass Joomla's input sanitization leading to XSS vulnerabilities.

54. Encoding Differentials: Why Charset Matters

Exploiting ISO-2022-JP encoding to bypass sanitization and inject JavaScript when charset information is missing.

55. Abusing Intended Feature And Bypassing Facial Recognition.pptx

Bypassing facial recognition by exploiting AI's inability to distinguish between live human faces and deepfake images.

56. Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites

A novel HTTP Request Smuggling vector affecting Google Cloud-hosted websites.

57. Supply Chain Attacks: A New Era

Bypassing Lavamoat's policy file sandboxing through crafted multiline source map comments and evading SnowJS realm isolation via the deprecated document.execCommand function.

58. Cross Window Forgery: A New Class of Web Attack

Uing browser navigation and keystrokes to execute actions on different websites via URL fragments.

59. Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs

Exploiting Vue.js CSTI through ENS name truncation to achieve XSS and manipulate NFT bids.

60. Zoom Session Takeover - Cookie Tossing Payloads, OAuth Dirty Dancing, Browser Permissions Hijacking, and WAF abuse

Cookie tossing to escalate XSS vulnerabilities, OAuth Dirty Dancing for session takeover, and leveraging XSS for browser permission hijacking and DoS through WAF Frame-up techniques.

61. Hacking Millions of Modems (and Investigating Who Hacked My Modem)

Unauthorized access to ISP-managed TR-069 APIs via authorization bypass, leading to full device takeover.

62. Introducing lightyear: a new way to dump PHP files

Automated high-speed exploitation with PHP filter chains

63. [EN] Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack

Multi-sandwich attack exploiting MongoDB Object ID's predictable counter to monitor and intercept tokens in real-time.

64. Gotta cache 'em all: bending the rules of web cache exploitation

Novel techniques exploiting URL parsing discrepancies to achieve arbitrary web cache poisoning and deception.

65. SQL Injection Isn't Dead Smuggling Queries at the Protocol Level

Protocol-level SQL injection attacks via database wire protocol smuggling.

66. Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery

Exploiting Client-Side Path Traversal for CSRF by chaining GET and POST actions (CSPT2CSRF).

67. http-garden: Differential fuzzing REPL for HTTP implementations.

Platform for finding novel HTTP request smuggling vectors.

68. Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine

Exploiting a buffer overflow in glibc's iconv function to achieve remote code execution in PHP applications, such as Roundcube, by manipulating session variables or leveraging deserialization vulnerabilities.

69. Unveiling the Prototype Pollution Gadgets Finder

Automated exploitation of server-side prototype pollution using gadget identification.

70. Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Exploiting architectural flaws in Apache HTTP Server's module interactions to achieve insecure path access, predictable handler manipulation, and authentication bypass.

71. Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

Exploiting the Clipboard API to inject XSS payloads through poisoned clipboard data in collaborative whiteboard applications.

72. Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting

Synthesizing polyglot payloads for detecting blind XSS across multiple injection contexts without feedback channels.

73. Delinea Protocol Handler - Remote Code Execution via Update Process (CVE-2024-12908)

Exploiting sslauncher URL handler to achieve Remote Code Execution via MSI transform abuse.

74. XSS using dirty Content Type in cloud era

XSS through manipulation of Content-Type headers.

75. Another vision for SSRF

Using SSRF to capture session cookies by directing requests to a controlled server.

76. Old new email attacks

Exploiting inconsistent parsing of email headers across services for email spoofing and SMTP injection.

77. Hijacking OAUTH flows via Cookie Tossing

Hijacking OAUTH flows via Cookie Tossing for Account Takeovers

78. Exploiting Number Parsers in JavaScript

Exploiting discrepancies in JavaScript number parsers for DoS via parameter pollution.

79. Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences

Detecting and chaining indirect JavaScript prototype pollution gadgets using undefined properties for complex attack vectors like ACE and RCE.

80. Exploring Javascript events & Bypassing WAFs via character normalization

Exploring Javascript events & Bypassing WAFs via character normalization

81. Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule

DoS technique exploiting overly inclusive WAF rules to block legitimate content delivery.

82. Next.js and cache poisoning: a quest for the black hole

Exploiting internal headers in Next.js to control HTTP status codes and cache error pages.

83. Universal Code Execution by Chaining Messages in Browser Extensions

Chaining messaging APIs in browser extensions to bypass Same Origin Policy and trigger native application vulnerabilities for universal code execution.

84. Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting

Chain of Arbitrary File Write, Arbitrary File Read, and Local DLL Loading for RCE on Exchange.

#WebSecurity #CyberSecurity #DataProtection #WebsiteSecurity #SecureWebDevelopment #OnlineSafety #WebApplicationSecurity #CyberThreats #SecureCoding #WebHacking #InternetSecurity #VulnerabilityManagement #ThreatPrevention #CyberDefense #WebsiteProtection #DigitalSecurity #HackerPrevention #WebPenTesting #DataPrivacy #SecureBrowsing