This guy's work always impresses me. He had a nice Blackhat brief as well.<p>This list is great and all for redteamers but as a defender, I would like to know if any actual threat actors used these techniques even after publication. Even with all the secret/private and public threat intel I am aware of, none of them register. Not knocking down on threat research, I am honestly curious because I can't tell if I should be on the look out for any real threat actors using these techniques.
The work on exploiting prototype pollution was excellent <a href="https://blog.s1r1us.ninja/research/PP" rel="nofollow">https://blog.s1r1us.ninja/research/PP</a><p>I didn’t know about the --disable-proto option in node or the Document Policy proposal for dealing with it.<p>Amazing that 80% of nested query parameter parsers were susceptible to prototype pollution.
As a web programmer, for whom the majority of this article is not only new, but difficult to comprehend, it makes me yearn to improve my web security knowledge. Any pointers?
Five out of ten new techniques are langsec, which makes them inherently difficult to fix, yet we keep using unreasonably complex languages for protocols and keep stapling on more complexity, resulting in formally assured insecurity.
It got me thinking, is client side rendering intrinsically safer than SSR.<p>SQL queries with params are safer because data and code flow separately. Similarly, if you query backend for data and then do textContent = response, that cannot do xss, right?
Not super on topic, but every time this site is linked, I never properly read the URL correctly. My brain immediately thinks the space is between the 's' and 'w'
Interesting community built list of the top 10 web hacking vulnerabilities used in 2021.
If you're making a web product you might want your team to quickly run over these.
Man the JSON inconsistency one is creative. I know it's not consistent implementation across languages, but I don't know it can be used to such attacks.
Anyone here that works on these kind of deep-dive type of security research? Can you give a TLDR of how do you usually set everything up to find these results?<p>As in, do you set up some sort of test environment/website with full debug logs and take if one step at a time from there? If so, how to you ensure that it is realistic and relevant to real world use since real-world architecture might differ from a setup that worked in your experiments?<p>I ask this because I used to do some bug bounties and it consisted of a lot of painful trial and error. I can't imagine anything new and profound can be found that way.<p>(PS in case it isn't obvious I didn't open up the research links and read in detail, hence a tldr)
It baffles me how convoluted and complex the webapp attacks have become over the past few years.<p>I think this is an effect of bug-bounty hunting, which has pretty much opened the research on those topics to a massive community.
What about GWT-Google Web Toolkit its actually not so many updated and under top news but the idea is implement in a prooven language java both frontend and backend
The hn title needs updating as it's misleading, even if it reflects the title on the website. The first sentence even clarifies it's only new techniques.<p>"Welcome to the Top 10 (new) Web Hacking Techniques of 2021, the latest iteration of our annual community-powered effort to identify the most significant web security research released in the last year".<p>The top web hacking techniques used and the top new ones I would expect to be very different lists.
I'm not an expert here, but truly interested to hear responses to this question.<p>To say that 1+1=2 is "true", does that not require a corollary in "reality" to something fundamental that can be called a "one" object? I believe this is called mathematical constructivism.<p>Imagine, hypothetically, that we cannot identify something that is physically fundamental and individual. My question is whether any mathematics in that scenario could be considered "true" without such constructivism, in other words, without a physical correspondence to an unquestionably, physically fundamental "one" object.