Dependency confusion tops PortSwigger’s annual web hacking list for 2021

Demand smuggling attacks a key theme

PortSwigger Web Security’s annual Top 10 Web Hacking Techniques list has been announced, with Dependency Confusion Attacks crowned the number one technique seen in 2021.

The list was voted from 40 nominations to the final 10 by an industry panel that included renowned researchers Nicolas Gregoire, Soroush Daliliand File descriptor.

The top 10 2021 spot came from researcher Alex Birsan’s dependency confusion attack, which used the technique to gain access to Apple, Microsoft and other top companies.

He revealed details of the new supply chain attack after going through a disclosure process with affected suppliers.

The attack

Dependency confusion occurs when an attacker is able to execute malicious software on a company’s network by replacing privately used software packages – called “dependencies” – with malicious public packages of the same name.

Birsan used this technique to upload malicious code into public RubyGems and Python packages, porting it into dependencies.

READ MORE Researcher hacks Apple, Microsoft and other big tech companies in new supply chain attack

He was able to breach the internal systems of the organizations mentioned above, as well as Shopify, Netflix, Yelp, Tesla and Uber, earning $130,000 in bug bounty in the process.

In addition, dependency confusion flaws have been detected in more than 35 organizations. Birsan added that “the vast majority of affected companies fall into the 1000+ employee category, which most likely reflects the higher prevalence of internal library use within larger organizations.”

Learn more about the highest rated attack technique of 2021 here.

The second place

PortSwigger’s James Kettle’s research, “HTTP/2: The Sequel is Always Worse”, came in at number two, which was independently submitted and voted on by the Top 10 panel.

Kettle, who previously demonstrated new insight into HTTP request smuggling attacks, found that despite upgrading to HTTP/2, many sites were still vulnerable to smuggling attacks due to rewriting requests in order to talk to the main server.

The researcher calls this “HTTP2 downgrade” and was able to use the attack to collect a $20,000 bug bounty from Netflix, among other things.

CONTEXT Black Hat USA: HTTP/2 flaws expose organizations to a new wave of request smuggling attacks

“Netflix used the Netty Java library for its HTTP/2 support and this library forgot to check that the content length was correct,” Kettle previously said. The daily sip.

By exploiting this flaw, an attacker could redirect users to their own website, obtain persistent execution of JavaScript on the main Netflix website, or hijack user accounts en masse.

Read more about the attack here.

Learn about the latest news on hacking techniques

In third place was Orange Tsai’s A New Attack Surface on MS Exchange, his fifth time in the top 10 list.

Fourth place was client-side prototype pollution in the wild, while fifth place went to hidden OAuth attack vectors.

In sixth place, scale cache poisoning, JSON interoperability vulnerabilities in seventh place, and convenient HTTP header smuggling in eighth place.

Finally, ninth place went to HTTP smuggling through higher HTTP versions and 10th Fuzzing for XSS via nested parsers.

You can read more about each of the attacks here.

Talk to The daily sipJames Kettle said this year’s top 10 was “wider than usual”.

The researcher added, “We suspected the Addiction Confusion would do well in the community vote, as it has been independently nominated five times. We also saw fewer ballot box stuffing attempts in community voting than usual.

“As mentioned in the post, the key topic was demand smuggling. The volume of research on this topic made ranking a bit tricky, as some new techniques have been independently discovered multiple times.

RECOMMENDED Dependency confusion attack mounted via PyPi repository exposes faulty package installer behavior

About Mike Stevenson

Check Also

Iran ‘deliberately floods’ Yemen with drugs: minister

Yemen’s information minister has accused Iran of “deliberately flooding” Yemen with drugs after authorities arrested …