Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318
Feb 18, 2025
auto_awesome
Dive into the captivating realm of web hacking as industry expert James Kettle reveals the top 10 techniques for 2024. Discover why enduring flaws like XSS and SQL injection remain prevalent, despite new technologies like HTTP/3 and WebAssembly emerging. Uncover innovative approaches, including advanced SQL injection and cookie manipulation. The conversation also highlights the exciting intersection of AI and web vulnerability research, showcasing how tools like Shadow Repeater transform manual testing. Engage with the thrill of hacking and the crucial role of ongoing research in cybersecurity.
The resurgence of SQL injection through innovative methods underscores the adaptability of legacy attack techniques in modern web frameworks.
Shifting to session storage from traditional cookie management could significantly enhance security by addressing inherent vulnerabilities in cookie systems.
Deep dives
The Impact of SQL Injection Techniques
One of the most surprising findings in this year's top web hacking techniques is the resurgence of SQL injection methods, specifically through a novel approach called 'muggling queries at the protocol level'. This technique highlights how attackers can exploit binary protocols to perform SQL injections, effectively bypassing traditional safeguards. By targeting the intricacies of database drivers and assuming their security, hackers reveal vulnerabilities overlooked by many. This innovative thinking showcases the potential for older attack methods to be adapted and reimagined within modern frameworks.
The Vulnerability of Cookies and Session Storage
The discussion surrounding cookie management and session storage emphasizes the inherent security flaws within traditional cookie systems. Despite the robust protections offered by HTTP-only flags and same-site cookies, the foundational issues remain, making cookies a significant target for attacks. In contrast, session storage presents a more secure alternative for storing session tokens, as it adheres to improved security principles without the complexity and legacy issues of cookies. Advocating for a shift towards session storage could mitigate many existing vulnerabilities related to cookie exploitation.
Complexity in Web Architecture: A Double-Edged Sword
The complexity inherent in web architectures, such as HTTP servers, poses significant security challenges as highlighted by recent research on confusion attacks. These attacks exploit architectural ambiguities among servers, potentially leading to high-impact vulnerabilities that attackers can leverage. This complexity is further exacerbated by the rapid evolution of technologies, such as HTTP/2 and HTTP/3, which introduce new attack surfaces while often failing to address legacy security issues. Embracing these newer standards more universally could provide better defense mechanisms against emerging threats.
Encouraging Innovation in Security Research
To foster innovation in security research, it’s essential to emphasize the importance of publication and sharing findings, even when they involve failure. Many researchers are hesitant to share unsuccessful attempts, yet these experiences can provide valuable insights for others in the community. The message that perseverance in research leads to growth resonates strongly, as successes often stem from the willingness to experiment and learn from setbacks. By embracing a culture of collaboration and acknowledgement, the cybersecurity field can advance more effectively against evolving threats.
We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.