TL;DR for Hackers Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested.

I haven't blogged for a long time. I'll record my speech on WebConf 2023. It's probably a case of sorting the evolutionary trends of Web Security in the past decade and giving relatively good attack techniques. Although I don't have a lecture and watch the projection video, I don't know if I'm here to watch the projection video. However, if I'm interested, I can still click here to get the projection video!

Since listeners are website developers (covering front-end, back-end and even architects), the attacking techniques I chose are simple, quick, understandable and interesting. I don’t talk about the defense techniques, because they can’t cover them in just 45 minutes, so the small goal I booked for myself is : As long as there is one thing, if the developer encounters the same scene and a small red frame will pop out of the brain, it seems that someone has said that he can slightly adjust the difference between the developer and the employee through this method, then my goal will be achieved!

/posts/2023-08-2023-webconf-the-evolution-of-web-security/49126aaee4452ee9-01.fixme

So what has Web Security developed in the past ten years? If I were to use one word to describe it, the most important thing is the word "roll"! Web Security has now competed so much that even a single bit group has to be more serious. For example, the problem of Nginx's classic Off-by-Slash. When should we add a diagonal line and when not, I believe that people who understand will smile with heart.

Looking at the development of Web Security over the past decade, I have summarized the following four trends (the following purely represents personal views, you can disagree with :)

1. 架構層面的攻擊逐漸成為顯學

With the complexity of website architecture, the problems that could be solved in Single Server in the past, with the introduction of Reverse Proxy, Load Balance, Firewall, Cache Server and even CDN, have begun to become complex. The original web applications, how web servers can match these new roles, and how these combination interactions introduce new attacks are trends that have been exploring for the past decade. The case I gave here is :

Abusing HTTP hop-by-hop request headers by Nathan Davison真實世界的案例: F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive by James Horseman

Web Cache Deception Attack by Omer Gil真實世界的案例: Web Cache Deception Attack in PayPal Home Page

The regrets of the sacred : HTTP Desync Attacks: Request Smuggling Reborn by James Kettle

2. 對底層邏輯重新梳理的攻擊

With the maturity of the front and back end frameworks, developers have gradually developed the habit of using the framework. In order to meet this trend, the attacker had to start digging into the framework and even the bottom of the programming language. For example, the early SQL Injection began to be greatly reduced as the ORM appeared, causing the attacker to start looking for loopholes in the ORM implementation; similarly, XSS, with the built-in protection of the framework, it is enough to handle most of the development scenes, the attacker can only start to view the game I'll play you with.

On the other hand, re-examining some framework logic that is convenient for developers to use is also a school that has developed in recent years. For example, although the problem of the Spring4Shell vulnerability that was extremely problematic in Data Binding, after careful review, it will be found that the main reason is that the Java Runtime version update has affected the internal mechanism changes in its bottom layer.

In this trend I introduced two new attack techniques for programming language bottom layer :

File Operation Induced Unserialization via the “phar://” Stream Wrapper by Sam Thomas真實世界的案例: LARAVEL=V8.4.2 DEBUG MODE: REMOTE CODE EXECUTION

Prototype pollution attack in NodeJS application by Olivier Arteau真實世界的案例: Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) by Michał Bentkowski

3. 不一致性所造成的攻擊面

As the website functions become more complex, the data is getting longer and longer in the life cycle between the website! A user requests (a piece of data) may pass through the mid-level Proxy/Cache Server pre-processing, business logic reprocessing, cloud API processing, and finally the journal server needs to be explained again. As the more sources of processing data are, and each source has different solutions to the same document, inconsistency between the explanations may cause security problems.

What is particularly interesting in the past few years is the attack on RFC resolution. RFC only defines the rules but does not explain how to implement it, causing differences between different implementations to cause problems. For example, in the case, the inconsistency between JavaScript and Erlang for the same JSON solution causes so many problems. I believe this will also be one of the important trends of Web Security in the future!

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai

Remote Code Execution in CouchDB by Max Justicz

4. 跨應用組合所導致的新攻擊

In this era when developers of the web have to know everything, traditionally, if you write a website, you don’t have to touch the bottom layer, you will be hit by WebAssembly; if you don’t have to understand passwords, you will appear in Web 3.0. Information security has never been just a single subject. If you are only familiar with your own domain, you will easily fall into thinking errors or even be hit by the downfall! Web Security has been We have also begun to attack cross-applications, whether it is cross-consolidation combination, cross-region error, cross-domain combination, or even different Conventions are combined. For example, RFC naming regulations are just a coincidence with the HTTP function database's variables. In recent years, such examples of breaking three views have emerged, which makes people have to admire the fact that they have rich imagination to combine these things that cannot be tied together!

Ticket Trick: How I hacked hundreds of companies through their helpdesk by Inti De Ceukelaire

HTTPoxy Attack

AvOracle: New Attack Vector Against Anti Virus by Ryo Ichikawa and Ryota Shiga

: Timeless Timing Attacks by Tom Van Goethem Mathy Vanhoef

5. 當前端安全不只在前端…

I originally planned to click on four items, but it is always difficult to remove front-end security from the development trend. Anyway, there will always be five people in the Four Heavenly Kings! Let’s regard front-end security as the great devil.

With the rise of Web 2.0/3.0, the website has begun to focus on users and store more and more sensitive data on the user side. In the past decade, from the decline of browsers and the addition of new features to the mainstream framework, the development of front-end security can actually be a whole and develop a lot of cool technologies, and it is even a bit slight. However, since a large part of front-end security is still based on user interaction, it is often less valued, but with Headless Browser and Electron-Based This prejudice in the development of desktop applications is slowly beginning to be broken!

First of all, Chromium is widely used. More and more developers will use Headless Browser on the server side to directly render the web page into PDF or image. Coupled with the prevalence of web crawling and the automation of tests, many XSSs that require user interaction can now be directly developed on the server side (or automatically). These are a little bit blurring between the front-end security and back-end security of the web page.

Another water distribution is the popularity of Electron-Based desktop applications (of course, Webview in mobile apps is the same). When all popular desktop applications such as Slack, Discord, Trello, and even Visual Studio Code for writing programs have become browser-based desktop applications. XSS, which was previously considered to be a chicken rib and can only redirect cookies, is now a high-risk vulnerability that can directly jump to small calculations! Here you can take a look at Microsoft Teams Example: How to create XSS in desktop applications through an AngularJS feature, and then complete the entire attack chain through Prototype Pollution, and control the victims completely with a message!

How I Hacked Microsoft Teams and got $150,000 in Pwn2Own by Masato Kinugawa

結語

I always have to write a good sentence. In short, I believe that Web Security will still have the next ten years, and the attack will only be more refined and more concise. As for continuing to learn? Leaning down? Or handing it directly to professionals, it will be up to you to decide!