Black Hat Europe redux: The best web hacking talks of 2022

Black Hat Europe redux: The best web hacking talks of 2022

Follow the highlights from last week’s cyber security conference

Last week, Black Hat Europe showcased cutting-edge infosec research

Alongside the release of hacking tools and a thought-provoking keynote, there was plenty on offer for cybersecurity professionals among the briefings at Black Hat Europe last week.

Vulnerability researchers often leave out the nitty gritty in conversations that focus on their success in finding vulnerabilities, but a pair of hackers from Trellix gave a talk on how to learn from missteps and mistakes along the way.

Apparent failures can offer useful lessons and – mixed with no small amount of grit and persistence – ultimately result in significant discoveries, researchers Douglas McKee and Philippe Laulheret told Black Hat delegates.

The session – ‘Fail Harder: Finding Critical 0-Days in Spite of Ourselves’ – took a “deep dive into all the things that didn’t work, along with the many challenges that preceded the discovery of critical zero-day bugs across multiple projects”.

Among other things, the researchers explained how “failing harder” requires “a lot of time spent on examining systems before they can be hacked”.

Researchers Douglas McKee and Philippe Laulheret encouraged bug hunters to learn from mistakes

Ethics in social engineering

In another talk, Ragnhild ‘Bridget’ Sageng from Orange Cyberdefence explored the ethics of using social engineering in penetration testing.

Such tests try to raise employee awareness of phishing attacks, but if not well thought out, they can backfire – especially if workers are tricked or blamed for mistakes. Playing the blame game goes against promoting a productive learning experience, argued Sageng.

See also  How to stay digitally healthy in 2023

After all, the results of such tests have shown that even security experts can fall victim to phishing lures, hence the need to increase focus on the (often neglected) post-engagement process.

Wifi WAF

Back in the arena of finding vulnerabilities in technology, researcher Noam Moshe of Claroty’s Team82 explained how they discovered that a number of web application firewalls (WAFs) could be made blind to SQL injection payloads.

The issue – which stemmed from a lack of support for JSON syntax in the SQL injection inspection process – affected technology from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5 and Imperva. All five resolved the issue after Claroty highlighted the issue, as explained in more detail by The Daily Swig last week.

Deliver packages

Deserialization errors have caused a steady stream of problems for traditional apps in recent years. The hacking technique has also proven to be a problem for Android-based mobile systems.

During a presentation at Black Hat Europe, a team of Google engineers outlined the development of Android Parcels, a technology designed to handle cross-process interaction and limit errors arising from deserialization.

Bohemian hack story

Active defense has been discussed as an approach to prevent cyberattacks orchestrated by nation-states for several years. The details of how such an approach might work in practice have been shrouded in secrecy, but a conversation between two threat intelligence experts from the Treasury in the Czech Republic showed how a combination of threat intelligence and active defense was used to thwart a series of attacks blamed on Russia.

The analysts explained that it was only by continuously improving the threat model and fine-tuning the approach that they were able to make improvements to make critical information infrastructure more resilient.

See also  IT security researchers find two new surveillance tools targeting Uyghur mobile apps - Radio Free Asia

Connected by the light

Cybersecurity researchers and bug hunters were offered insight into how it might be possible to hack web-based frameworks by abusing DataBinding.

DataBinding is used to bind request parameters to a domain object.

The approach is supported by a variety of programming frameworks, including Java, JavaScript, Groovy, Python, and Ruby.

However, implementation errors in data binding have created a number of bugs on platforms including Spring, Struts, Grails, and Ruby on Rails.

Haowen Mu and Biao He from Ant Security FG Lab explained how the insecurity of the DataBinding mechanism itself led to the infamous Spring4Shell, among other bugs, during their presentation at Black Hat.

YOU MAY ALSO LIKE Black Hat Europe 2022: Hacking tools showcased at annual security conference

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *