Our latest roundup of notable technical research kicks off with web security pioneer James Kettle breaking new ground again with his latest Black Hat USA presentation.
The PortSwigger director of research begins his writeup for ‘Listen to the whispers: web timing attacks that actually work’ by urging his peers to start listening to the “timing oracles” pervading websites since they are “eager to divulge their innermost secrets”. His latest tour de force promises to “unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface”. 🔥 With hypothetically-sound web timing attack techniques all too often failing when applied to real-world scenarios, he illustrates each technique for exploiting this neglected side-channel “with multiple real-world case studies on diverse targets”. The researcher also provides “battle-tested open-source tools” and a CTF. 👏
Vast attack surface
Orange Tsai, a researcher of comparable renown, has unearthed another vast attack surface linked to architectural problems with Apache HTTP Server. In ‘Exploiting Hidden Semantic Ambiguity in Apache HTTP Server’, which also featured at Black Hat, Tsai revealed how he pioneered 20 ‘confusion attack’ techniques and found nine related vulnerabilities. 🔥 He has cited the biggest highlights as escaping from DocumentRoot to System Root, bypassing built-in ACL/Auth with just '?', and turning XSS into RCE with legacy code from 1996. 💪 He also warned that more types of confusion attacks will emerge “unless the Apache HTTP Server undergoes architectural improvements or provides better development standards”.
Gotta cache ‘em all
The PortSwigger team had a productive August, with two of Kettle’s colleagues also publishing impressive research. Gareth Heyes ‘splits the email atom’ by demonstrating how to turn email parsing discrepancies into access control bypasses and even RCE, and provides a CTF for road-testing the skills duly acquired. 🔥 And in Gotta cache 'em all: bending the rules of web cache exploitation’ (👏 great title), Martin Doyhenard explores how various HTTP servers and proxies behave when parsing specially crafted URLs, as well as RFC ambiguities that create path confusion. He also details novel techniques for abusing parser discrepancies to achieve arbitrary web cache poisoning and deception in numerous websites and CDN providers. 💪
Date fright
Fortbridge researchers have documented a series of ‘broken access control vulnerabilities’ on a hugely popular dating app that, they claim, enabled attackers to read other users’ messages, access attachments (photos and videos) from their chats, and update someone else’s profile info, among other misdeeds. 😲 In a six-month disclosure timeline, the vendor apparently said the vulnerabilities have now been addressed.
A vulnerability in FIDO devices that use the Infineon SLE78 security microcontroller allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys and clone the FIDO device. Dubbed ‘EUCLEAK’, the side channel attack requires extended physical access, specialized equipment, and advanced understanding of electronics and cryptography. Credit goes to NinjaLab's Thomas Roche, who previously devised a side-channel attack that enabled the cloning of Google Titan security keys. 🔐
A pair of writeups concerning security weaknesses in Microsoft Copilot to flag next. 🤖 First, Microsoft has seemingly remediated a vulnerability enabling a chain of exploits affecting the chatbot, including prompt injection via a malicious email (or hidden in a shared document); automatic tool invocation without a human in the loop to read other emails or documents; ASCII Smuggling to stage, to the user invisible, data for exfiltration; rendering hyperlinks to attacker-controlled domains (websites, mailto:); and, optionally, conditional prompt injection.
Second, Tenable Research has detailed a critical information-disclosure vulnerability in Copilot Studio via a server-side request forgery (SSRF) that leveraged Copilot’s ability to make external web requests. Combined with an SSRF protection bypass, the SSRF, which has now been patched, gave the researchers access to internal infrastructure for Copilot Studio.
Advanced server-side template exploitation with RCE everywhere
Our very own bug hunter and researcher enablement analyst has produced a pair of nifty hacking writeups since our last edition. 👊 In limitations are just an illusion: Advanced server-side template exploitation with RCE everywhere, Brumens explains some novel techniques for exploiting SSTIs with complex, unique payloads that leverage default methods and syntax from various template engines. Better still, he achieves RCE without needing any quotation marks or extra plugins within the templates. Brumens also found time to pen a writeup on how to perform white-box penetration testing on a Python web application running in a Docker container, and perform debugging inside Visual Studio Code in order to track our payloads throughout the process, and understand how security filters can hide vulnerabilities in plain sight. 💪
In more Brumens-related news, the fourth and final WAF bypass module to emerge from his fantastic presentation on the topic at NahamCon 2024 has landed. As well as learning filter collision, transformation and space-excluding techniques on Dojo, now you can leverage encoding to turn your payload into a web application firewall nemesis. 🧠
OPEN the code; SOURCE the bounty
We already have proof for the concept that open source vulnerabilities can have a catastrophic impact, in the form of the landmark Log4Shell bug. The location of the devastating flaw, Log4j, happens to be among seven public Bug Bounty programs operated by the Sovereign Tech Fund, which invests in open digital infrastructure to ensure a resilient and sustainable open source ecosystem. 🌐 The comparable ubiquity of the other programs’ technologies – Systemd, GNOME, ntpd-rs, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo – means it’s not hyperbolic to say that finding similarly critical bugs in these programs could help to prevent some pretty devastating downstream impacts. 💥 Mindful of the significance of these programs, we’ve summarised the hunting opportunities on offer – which can net you up to €10k rewards and, indeed, the satisfaction of helping to secure some pretty fundamental digital infrastructure. 💰
To mark Cybersecurity Awareness Month – starting tomorrow – we’re also giving away exclusive swag for any valid bugs reported to our #OpenSource programs 🎯 🎁 This is part of our ‘OPEN the code; SOURCE the bounty’ campaign.
We’re also delighted to showcase a new interview with one of the world’s most successful hunters, Nagli. Among other things, the Israeli hacker shares his journey into Bug Bounty, revisits his most memorable bug discovery, reveals the secrets behind his success, discusses currently productive scopes, and offers invaluable advice for aspiring bug hunters. 💎
Leaderboard latest
As well as financial rewards and invites to private programs, an ultimate dividend of all this hunting education and advice could be a place on our leaderboard and the respect of your peers. To this end, let us give thanks to and express admiration for all-time runaway leader rabhi, who sits at the summit of the Q3 rankings so far for 2024, to Rbcafe (second in Q3) and to Xel (third for Q3, and recent climber into the all-time top three). The podium for 2024 as a whole so far: rabhi, Noam and Xel. 👏 🏆
Xel was among those to add to their points tally through participation at our live Bug Bounty in Rome over the weekend. Italy’s first-ever live hacking event, the competition featured targets from Ferrero, the maker of Ferrero Roche, Kinder Bueno and other sweet-packaged delights. The event took place at RomHack 2024.
During a busy October on the conference front, YesWeHack will have a booth at Cyber Security World Asia (9-10 October; Marina Bay, Singapore), Assises de la Cybersécurité 2024 (Monaco, 9-12 October), GITEX (Dubai, 14-18 October), IT-SA, (Nuremburg, 22-24 October) and Cyber Security Nordic (Helsinki, 29-30 October). 🌍
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.