A Romanian white-hacker won the annual web-hacking top for 2021

A Romanian white-hacker won the annual web-hacking top for 2021

A Romanian white-hacker won the annual web-hacking top for 2021

  • 11 months ago
  • postat de: NSHOST

Alex Bîrsan took the money from Apple, Microsoft, Tesla, Uber and Netflix, after showing them how they can be attacked. A white hacker passionate about identifying security issues for client companies or running public bounty bug-hunting programs, Alex managed to break into the internal systems of the aforementioned organizations, earning over $130,000 in bounties in the process.

Nominated for PortSwigger's annual web hacking list, he reaches the top 10 hacking techniques with his famous 'dependency confusion' technique and then takes the #1 spot. His technique demonstrates that an attacker is able to execute the malware on a company's network, replacing privately used software packages – so-called “dependencies” – with malicious public packages of the same name.

Most programming languages, such as Python, come with an easy, more or less formal way to install dependencies for developed projects. These installers are usually linked to public libraries where anyone can freely upload code packages for others to use.

Also very famous are Node with npm, Python's pip uses PyPI (Python Package Index), or Ruby with gems, all of which can be found and installed by any programmer.

When we download and use a package from any of these sources, we basically trust its creator/publisher to run code on the server/PC. Can this blind trust be exploited by malicious actors? Obviously, yes. 

After Alex found, in the code posted by companies on the Internet, some names of private dependencies, for which there was no information online, he thought of creating some dependencies himself, which would have exactly the same names, but which would be public. Hoping that it will create confusion and maybe, that way, code written by him will run in the software of big companies.

The idea was successful. When such a dependency was installed by software, it was often the public dependency, written by Bîrsan, that was accessed, and not the company's private and internal one. "It seems that the developers, or even the automated systems of the companies, did not always ensure that they installed dependencies from the correct source", says the computer scientist. "The reasons can be multiple and complex, but the result is always the same: an attacker could have run malicious code on the affected companies' systems." As a white-hat hacker, Alex did not run malicious code but merely notified the companies and collected the rewards offered.

Alex is well known in the world of bounty hunters, winning many of the competitions he has entered. “I love the bug bounty industry,” he says. "It's a very free market, where companies compete for hackers' time with ever-increasing rewards."

Last year, for example, Google paid $6.7 million to hackers who responsibly reported vulnerabilities, up from 2019. Microsoft gave nearly $14 million in 2019-2020, and PayPal nearly $3 million. Although the sums seem high at first sight, they are much lower than the costs of possible serious security incidents. As expensive as they are, good hackers are cheaper than bad ones.

Having very low costs living in Iasi, Alex is living his dream: "The rewards are enough for me to live comfortably." After a big win, like this one, he usually takes a long break where he relaxes and studies. That's what he will do now. He will be on probation for "a few months."

Top 10 web hacking techniques

PortSwigger's annual web hacking top aims to identify the most significant web security research published in the previous year and for 2021 there were 40 nominations, with the following techniques reaching the top 10:

  1. Dependency Confusion - in which Alex Birsan exposes critical design and configuration flaws affecting very important code libraries, exploiting package name ambiguity to obtain RCEs for numerous major companies and earn well over $130,000 in bounties. Prevention and countermeasures are still ongoing for this attack, and we're curious to see where this avenue of research goes. Is the attack so elegant that it cannot be improved? Or is this just the humble beginning of a new persistent attack class? Congratulations to Alex on a well-deserved win!
  2. HTTP/2: "Ever wondered what could go wrong when converting between binary and ASCII protocols?" “This research has everything a reader needs. In addition to the actual research and output, the quality of the writing, tools and presentation make this very special.” “This is good research on how HTTP2 greatly increases the complexity of the whole situation. As the use of HTTP2 is still being adopted, request smuggling will be even more relevant with endless (down)upgrade.”
  3. A new attack surface on MS Exchange - Orange Tsai touts as a "seamless introduction to the architecture and attack surface of Exchange, with trusted exploits and huge impact" and a "can of worms" that "changed the way many looked at this popular mail solution and it reminded us that even the most (apparently) secure applications can be easily hacked with persistence and attention to detail."
  4. Exploiting Client-Side Prototype Pollution in the wild - described by file descriptor as "probably an underprivileged bug class because it's only occasionally exploited", Prototype Pollution was strictly an enthusiast technique until this phenomenal research that defines a clear methodology and insightful for practical identification and exploitation. It's also notable for its star-studded cast, led by s1r1us - in Soroush's words "It feels like you're watching The Avengers!"
  5. Hidden OAuth attack vectors. Hackers typically focus on endpoints that are either directly visible or discovered during reconnaissance. In Hidden OAuth Attack Vectors, Michael Stepankin takes an alternative approach to the OAuth and OpenID specifications to uncover the hidden endpoints and design flaws that set the stage for enumeration, session manipulation, and SSRF. Michael has also updated both the ActiveScan++ and Burp discovery wordlists to be able to monitor and ensure that this attack surface does not go unnoticed.
  6. Cache Poisoning at Scale. Youstin proves that web cache manipulation is still endemic and still widely neglected. DoS vulnerabilities are often dismissed by researchers, but the persistent, one-request takedowns offered by web cache poisoning are clearly taken seriously by many companies. This is also a solid demonstration of the art of chaining small inconsistencies with secret headers and misconfigurations to create a serious vulnerability.
  7. JSON Interoperability Vulnerabilities. JSON Interoperability Vulnerabilities by Jake Miller takes an in-depth look at how to trigger JSON parsing inconsistencies and where they can become exploitable, which are usually harmless. 
  8. Practical HTTP Header Smuggling. Daniel Thatcher isolates a core component of HTTP Request Smuggling and elegantly reorganizes it into a strategy that makes it possible to identify both CL.CL vulnerabilities and generic hidden header attacks, are all built into Param Miner. 
  9. HTTP Smuggling via Higher HTTP Versions. As of early 2021, HTTP/2 was believed to have no major security issues beyond timing attacks and minor DoS concerns. Emil Lerner's HTTP Smuggling Through Higher HTTP Versions busted this myth, using custom tools and innovative techniques to reveal numerous holes in the HTTP/2 to HTTP/1.1 conversion. 
  10. Fuzzing for XSS via nested parsers. With an old topic like XSS, it's all too easy to think we know everything there is to know about the topic. But Psych0tr1a shows us how stacked HTML sanitization rules can turn against each other, with incredible results. 

Security is no longer optional. We rely on the web to connect needs with solutions. Unfortunately, however, too many companies struggle to secure their software and risk losing the trust of their customers.

We encourage you to invest in a secure and optimal hosting plan - choosing any of the NSHOST web shared, VPS or Cloud hosting packages and allocate the necessary time to a caching policy suitable for your business to ensure record loading times of each web page.