Episode 60: Our Take on PortSwigger's Top 10 Web Hacking Techniques of 2023
Feb 29, 2024
auto_awesome
Exploring top web hacking techniques of 2023 such as state machine smashing, NTLM token theft via Akamai servers, SMTP smuggling, PHP filter chains, HTTP request splitting, hacking Microsoft Teams, cookie manipulation, and EPP server takeovers. The hosts analyze and debate these advanced hacking methods with insightful commentary and practical examples.
Understanding vulnerabilities in SMTP security mechanisms like SPF, DKIM, and DMARC through SMTP smuggling techniques.
Identifying and exploiting Engine X misconfigurations leading to HTTP request splitting vulnerabilities.
Insights into successful hacking methodologies employed in exploiting Microsoft Teams at Pwn2Own competition.
Exploration of critical vulnerability classes like Smashing the State Machine and risks associated with filter chains in web security.
Deep dives
Research on Web Hacking Techniques of 2023
The top 10 web hacking techniques of 2023 were delved into, showcasing research findings from James Kettle and others. In-depth analysis was performed on techniques like exploiting Nagle's algorithm in TCP packets and utilizing HTTP2 for race condition testing, demonstrating innovative and impactful methodologies in the hacking community.
SMTP Smuggling Explored
An exploration of SMTP smuggling highlighted vulnerabilities in SMTP security mechanisms like SPF, DKIM, and DMARC. The technique involved leveraging HTTP smuggling methodologies to manipulate SMTP packet endings, allowing for deliberate mismatches between relaying and receiving servers to achieve arbitrary redirects and NTLM hash theft.
HTTP Request Smuggling Vulnerabilities Unveiled
Engine X misconfigurations leading to HTTP request splitting vulnerabilities were discussed, emphasizing how reg ex patterns in location definitions can inadvertently allow injection of new line characters. Detection methods like inserting space X for error code differentiation and testing for HTTP protocol redirection were highlighted to identify and exploit request splitting.
Success in Hacking Microsoft Teams at Pwn2Own
A detailed account of hacking Microsoft Teams at Pwn2Own by Masatou Kinugawa. Techniques employed in exploiting Electron environments were shared, providing insights into probing for vulnerabilities and targeting browser window object instantiation parameters. His successful hack, resulting in a $150K reward, showcased expertise in navigating complex application environments for security exploitation.
Bonus: Non-Technical Experiences at Pwn2Own
Masatou Kinugawa shared additional content on non-technical experiences at Pwn2Own, offering insights into the overall process and engagement at the event for those interested in the human aspect of participating in such prestigious hacking competitions.
Smashing the State Machine
Smashing the State Machine research explores a critical vulnerability class with significant implications. The implementation is clear and the research provides insights into an underserved vulnerability area.
Filter Chains
Filter Chains research, demonstrating how generating arbitrary content opens exploitable doors, has high applicability and implications in real-world scenarios. It offers a deep understanding of internet infrastructure risks.
Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
