Hackers’ Hidden Playground: Exploiting Underrated Web Vulnerabilities Like a Pro
1 min read
Summary
Security researcher Abhijeet Kumawat has written a piece for medium.com entitled “Hackters’ Hidden Playground: Exploiting Underrated Web Vulnerabilities Like a Pro,” in which he argues that many bug hunters concentrate on the well-known vulnerabilities such as XSS (cross-site scripting), SQL (Structured Query Language) injection and SSRF (server-side request forgery), while ignoring less well-known vulnerabilities that can be just as dangerous.
He argues that while such well-known vulnerabilities are important to find and fix, many organisations have got better at fixing them, whereas less well-known vulnerabilities often go undetected.
He then looks at three “underrated” vulnerabilities and the potential damage they can do if misused, using real-world exploitation examples.
The first is host header injection, which he describes as a method of manipulating the host header in order to bypass security filters, perform cache poisoning attacks and/or hijack password reset links.
The second is what he calls “append-only attacks,” which can allow an attacker to create permanent backdoors in application logs.