A novel alternative to traditional HTTP request smuggling that spotlighted an obsolete, hitherto obscure protocol has been recognized as 2020’s top web hacking technique.HTTP/2 cleartext (H2C) smuggling abuses H2C-unware front-ends to create a tunnel to backend systems, enabling attackers to bypass frontend rewrite rules and exploit internal HTTP headers.

Conceptually similar to, but significantly more practical than, Websocket smuggling “request tunnelling exploitation is an emerging art so this one may be a slow burn, but we anticipate some serious carnage in future.

In Data Exfilteration,tackles the format and stretches PDF parsers to go from PDF link injection to document theft, JavaScript execution and SSRF.

Farewell SQLi?

“Once again we’re seeing a nice overview of novel techniques discovered by quality research, showing that despite significant improvements in practices and supporting frameworks there are still numerous ways in which applications fail.

Offensive web security research is continually being forced to evolve in response to ongoing improvements to App Security

dsds

While applications themselves are becoming more secure, the increasingly multifaceted layers below are creating opportunities for innovative researchers.

With the advent of serverless computing, we risk [losing] insight into the extremely abstracted layers that allow our applications to run. This includes proxies, load balancers, web application firewalls, and all of the very complex functions they provide.

Understanding what those components do, how they impact our applications, and – most importantly – what they do not do, is critical to developing a threat model for your application or infrastructure.

The top 10 web hacking techniques of 2020

  1. H2C smuggling: Request smuggling Via HTTP/2 cleartext
  2. Portable data exFiltration: XSS for PDFs
  3. Attacking secondary contexts in web applications
  4. When TLS hacks you
  5. NAT slipstreaming
  6. Smuggling HTTP headers through reverse proxies
  7. Unauthenticated RCE on MobileIron MDM
  8. ImageMagick – Shell injection via PDF password
  9. Attacking MS Exchange web interfaces
  10. WAF evasion techniques