Black Hat Europe redux: The best web hacking talks of 2022
Follow the highlights from last week’s cyber security conference
Alongside the release of hacking tools and a thought-provoking keynote, there was plenty on offer for cybersecurity professionals among the briefings at Black Hat Europe last week.
Vulnerability researchers often leave out the nitty gritty in conversations that focus on their success in finding vulnerabilities, but a pair of hackers from Trellix gave a talk on how to learn from missteps and mistakes along the way.
Apparent failures can offer useful lessons and – mixed with no small amount of grit and persistence – ultimately result in significant discoveries, researchers Douglas McKee and Philippe Laulheret told Black Hat delegates.
The session – ‘Fail Harder: Finding Critical 0-Days in Spite of Ourselves’ – took a “deep dive into all the things that didn’t work, along with the many challenges that preceded the discovery of critical zero-day bugs across multiple projects”.
Among other things, the researchers explained how “failing harder” requires “a lot of time spent on examining systems before they can be hacked”.
Ethics in social engineering
In another talk, Ragnhild ‘Bridget’ Sageng from Orange Cyberdefence explored the ethics of using social engineering in penetration testing.
Such tests try to raise employee awareness of phishing attacks, but if not well thought out, they can backfire – especially if workers are tricked or blamed for mistakes. Playing the blame game goes against promoting a productive learning experience, argued Sageng.
After all, the results of such tests have shown that even security experts can fall victim to phishing lures, hence the need to increase focus on the (often neglected) post-engagement process.
Back in the arena of finding vulnerabilities in technology, researcher Noam Moshe of Claroty’s Team82 explained how they discovered that a number of web application firewalls (WAFs) could be made blind to SQL injection payloads.
The issue – which stemmed from a lack of support for JSON syntax in the SQL injection inspection process – affected technology from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5 and Imperva. All five resolved the issue after Claroty highlighted the issue, as explained in more detail by The Daily Swig last week.
Deserialization errors have caused a steady stream of problems for traditional apps in recent years. The hacking technique has also proven to be a problem for Android-based mobile systems.
During a presentation at Black Hat Europe, a team of Google engineers outlined the development of Android Parcels, a technology designed to handle cross-process interaction and limit errors arising from deserialization.
Bohemian hack story
Active defense has been discussed as an approach to prevent cyberattacks orchestrated by nation-states for several years. The details of how such an approach might work in practice have been shrouded in secrecy, but a conversation between two threat intelligence experts from the Treasury in the Czech Republic showed how a combination of threat intelligence and active defense was used to thwart a series of attacks blamed on Russia.
The analysts explained that it was only by continuously improving the threat model and fine-tuning the approach that they were able to make improvements to make critical information infrastructure more resilient.
Connected by the light
Cybersecurity researchers and bug hunters were offered insight into how it might be possible to hack web-based frameworks by abusing DataBinding.
DataBinding is used to bind request parameters to a domain object.
However, implementation errors in data binding have created a number of bugs on platforms including Spring, Struts, Grails, and Ruby on Rails.
Haowen Mu and Biao He from Ant Security FG Lab explained how the insecurity of the DataBinding mechanism itself led to the infamous Spring4Shell, among other bugs, during their presentation at Black Hat.
YOU MAY ALSO LIKE Black Hat Europe 2022: Hacking tools showcased at annual security conference