This year is special, because the researcher who places #1 will not only receive praise amongst his peers, but also receive one free pass to attend the BlackHat USA Briefings 2009! Over $1,000 (US) value. Generously sponsored by BlackHat. Winners will be chosen by a panel of judges (Rich Mogull, Chris Hoff, HD Moore, Jeff Forristal) on the basis of novelty, impact, and pervasiveness.
We’re also going to need your help. Below we’re building the living list of everything found so far. If anything is missing, and we’re positive there is because last year had over 80, we’d appreciate it if you could post a comment containing the link. Thank you and good luck!
Cross-Site Printing(2007 issue)
- CUPS Detection
- CSRFing the uTorrent plugin
- Clickjacking / Videojacking
- Bypassing URL Authentication and Authorization with HTTP Verb Tampering
- I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
- Safari Carpet Bomb
- Flash clipboard Hijack
- Flash Internet Explorer security model bug
- Frame Injection Fun
- Free MacWorld Platinum Pass? Yes in 2008!
- Diminutive Worm, 161 byte Web Worm
- SNMP XSS Attack (1)
- Stealing Basic Auth with Persistent XSS
- Smuggling SMTP through open HTTP proxies
- Collecting Lots of Free 'Micro-Deposits'
- Using your browser URL history to estimate gender
- Cross-site File Upload Attacks
- Same Origin Bypassing Using Image Dimensions
- HTTP Proxies Bypass Firewalls
- Join a Religion Via CSRF
- Cross-domain leaks of site logins via Authenticated CSS
- HTML/CSS Injections - Primitive Malicious Code
- Hacking Intranets Through Web Interfaces
- Cookie Path Traversal
- Racing to downgrade users to cookie-less authentication
- MySQL and SQL Column Truncation Vulnerabilities
- Building Subversive File Sharing With Client Side Applications
- Firefox XML injection into parse of remote XML
- Firefox cross-domain information theft (simple text strings, some CSV)
- Firefox 2 and WebKit nightly cross-domain image theft
- Browser's Ghost Busters
- Exploiting XSS vulnerabilities on cookies
- Breaking Google Gears' Cross-Origin Communication Model
- Flash Parameter Injection
- Cross Environment Hopping
- Exploiting Logged Out XSS Vulnerabilities
- Exploiting CSRF Protected XSS
- ActiveX Repurposing, (1, 2)
- Tunneling tcp over http over sql-injection
- Arbitrary TCP over uploaded pages
- Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
- Common localhost dns misconfiguration can lead to "same site" scripting
- Pulling system32 out over blind SQL Injection
- Dialog Spoofing - Firefox Basic Authentication
- Skype cross-zone scripting vulnerability
- Safari pwns Internet Explorer
- IE "Print Table of Links" Cross-Zone Scripting Vulnerability
- A different Opera
- Abusing HTML 5 Structured Client-side Storage
- SSID Script Injection
- DHCP Script Injection
- File Download Injection
- Navigation Hijacking (Frame/Tab Injection Attacks)
- UPnP Hacking via Flash
- Total surveillance made easy with VoIP phone
- Social Networks Evil Twin Attacks
- Recursive File Include DoS
- Multi-pass filters bypass
- Session Extending
- Code Execution via XSS (1)
- Redirector’s hell
- Persistent SQL Injection
- JSON Hijacking with UTF-7
- SQL Smuggling
- Abusing PHP Sockets (1, 2)
- CSRF on Novell GroupWise WebAccess
Turning a local DoS vulnerability on CUPS into a remote exploit via specially-crafted webpage
This research nicely shows how combining different bugs, can allow us to turn a local crash, into a remote exploit via a specially-crafted webpage.
The three vulns in particular are (copied and pasted from original source):
1. CUPS allows anonymous users to add/remove RSS Subscriptions. This issue only affects CUPS <1.3.8. I later learned that this issue had been reported in the past and tracked by Apple as STR #2774. This issue is also being tracked as CVE-2008-5184
2. HTTP requests submitted to the CUPS web interface (http://localhost:631/) can be forged due to lack of tokenization (CSRF)
3. Exceeding the maximum # of RSS Subscriptions (100 by default) leads to a NULL pointer dereference crash. This issue is being tracked as CVE-2008-5183
original blog post
right on, that is a cool one! #45
localhost. record in domain pointing to 127.0.0.1 + XSS vulnerability in local application with web interface as source for cookies for this domain and the potential threat with other applications listening on local interface.
Thanks Martin, I've added it to the list!
Few of mine:
Yet another Dialog Spoofing - Firefox Basic Authentication
Skype cross-zone scripting vulnerability
Safari pwns IE (Blended Threat)
IE "Print Table of Links" Vulnerability
A different Opera
Remembering 'Forgot My Password': Turning DNS Compromise Into A Generic Authentication Bypass For Most Web Frameworks And Major Properties
I'm sure everyone's sick of the DNS brouhaha, but I'd like to point out that there really weren't many systems *not* vulnerable to having their DNS polluted, thus causing their "forgotten password" emails to go to a controllable location. This attack was particularly fun on content management frameworks, because you don't just get the ability to read content: Forget the admin's password, and suddenly you get to post or modify arbitrary PHP thus allowing full remote code execution.
Whether it's more significant to get code execution on a CMS or user-level access to MySpace/Facebook/Google/Yahoo/AIM/Hotmail /GoToMyPC from one common attack is up to the discretions of the reader.
Jeremiah what about my work? Abusing HTML 5 Structured Client-side Storage: http://trivero.secdiscover.com/html5whitepaper.pdf
Do you think it's a good one for a mention?
I know, it's not fair to endorse themselves.. :)
@avivra, you are now added to the list. Thanks much for the contribution!
@DanK, we still love ya and would be happy to add a reference. Do you have a preferred one you'd like linked? Having trouble finding one myself.
@ameft, absolutely you can! I'm hoping more people do since its so tough to keep track. Added to the list!
So far this is just looking like a massive pileup of vuln researcher self-fellatio. Meh.
Pers XSS in embedded devices via evil SSID and DHCP hostname by Rafael Dominguez is quite cool stuff:
jeff's file download injection technique
Ok, this is going to be a long list:
* Navigation Hijacking (Frame/Tab Injection Attacks) - http://www.gnucitizen.org/blog/hijacking-innocent-frames/
* UPnP Hacking via Flash (really hot stuff and it affects all of your home appliance including your TV if it has been bought recently) - http://www.gnucitizen.org/blog/hacking-the-interwebs/
* Router Hacking Challenge (the biggest hacker challenge done so far and all of it is web stuff) - http://www.gnucitizen.org/blog/router-hacking-challenge/
* Total surveillance made easy with VoIP phones (one of the best web hacks ever) - http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/
* Call Jacking: Phreaking the BT Home Hub (really cool web hack) - http://www.gnucitizen.org/blog/call-jacking/
* Social Networks Evil Twin Attacks (well, maybe not so much Web oriented) - http://www.gnucitizen.org/blog/social-networks-evil-twin-attacks/
* The Pownce Worm - http://www.gnucitizen.org/blog/the-pownce-worm/
I sent you email with my 18 researches, which I published in 2008. These researches are just a part of researches which I made last year and with time I'll publish many other my researches (which I made in 2006, 2007 and 2008 years).
Do you make a list of hacking techniques only for 2008? Because such interesting technique as Cross-Site Printing was published in December 2007 and was in Top Web Hacking Techniques of 2007 (is it needed to repeat yourself). If it'll be new version of technique, than it's other case.
Besides, about same-site scripting which was mentioned by Martin. I already wrote about attacking (particularly by XSS) localhost aka 127.0.0.1 already in November 2006 in my article Using of vulnerabilities at local machines (http://websecurity.com.ua/369/). Which you can read on English (http://www.google.com/translate?u=http://websecurity.com.ua/369/&langpair=ua%7Cen&hl=en&ie=UTF8).
@Adrian, got them down at #55 and #56. Thanks much!
@Arshan, locked in at #57. Good one too, forgot about that.
@pdp, added most, but not all. Couldn't decide on a couple, but open to being convinced.
"Router Hacking Challenge", seem liked a collection of vulnerabilities, not "techniques". Didn't seem novel enough over existing research. Same reasoning behind "Call Jacking: Phreaking the BT Home Hub" and "The Pownce Worm". What should be reconsidered?
JSON Hijacking with UTF-7.
pp.57-62 of http://powerofcommunity.net/poc2008/hasegawa.pptx
Winamp "NowPlaying" Unspecified Vulnerability: The Details (http://blog.watchfire.com/wfblog/2008/09/winamp-nowplayi.html)
CSRF on Novell GroupWise WebAccess allows email theft and other attacks
Although this vulnerability has just been published now in the year 2009, it was discovered in October 2008, thus I thought it was worth adding to the list.
By forging the request that adds a new forwarding rule, a copy of any email sent to the victim user will be sent to the attacker's inbox.
The bug affects all supported versions of Novell GroupWise, the third-biggest corporate email software product which has a base of about 30 million users according to Novell.
It could be argued that this is a vulnerability, and not a technique. Well, in reality it's both. The feature being forged is different to the usual CSRF payloads that most people are familiar with:
- adding a new administrative user (applies to admin consoles)
- changing the targeted user's password (would only work if the current password is NOT required to change to a new one)
- transferring money (applies to financial apps)
Adrian, yes it's possible to include this new research in current list.
It depends on position of the author. For example, yesterday I wrote article Enumerating logins via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2840/, which you can read on English http://www.google.com/translate?u=http://websecurity.com.ua/2840/&langpair=ua%7Cen&hl=en&ie=UTF8).
I made this research in March 2008, but because I published it this year, this article would be for 2009's hack techniques.
@Adrian, not to take anything way from the good research, but I don't think this qualify as a new "technique." While there is some wiggle room for inclusion, really wanted to stay away from a general list of vulnerabilities.
@Yair, Im on the edge on this one. Its cool stuff for sure, but can we consider this web-based? I'll probably take your word for it either way...what do you think?
I have sent my submission on your email id email@example.com
If it needs to be changed. Let me know.
All part of the same attack:
Released end of 2007, but publicized this year .
Also was a recent lecture at RSA Conference Europe...
Abusing PHP sockets added, as was SQL Smuggling and CSRF on Novell GroupWise WebAccess.
Thanks all, good work!
what about the CSS Attribute Reader?
Was paralelly discovered by Wisec and I (and I disclosed it on Microsoft Bluehat, and Wisec disclosed it on RuxCon), check out wisec's PoC:
What that is doing, is reading from here:
The value of a hidden attribute:
input type='hidden' value='ap23_$$'
It's a potential attack for XSS without JS (Cross Site Styling?)
- http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html (checkout the last title about CSS attribute reader)
Oh! and the CSSH! CSS Stealing Some History - Monitor!
What it does is it fetches all the websites you have visited, and the ones you "are" visiting.. so if for example, you go to www.w3.org and then on other tab you go to:
Then you can navigate on w3.org and the CSSH-MON will fetch all your navigation history (with the exact time you clicked each link).
The references are:
I would agree with CSS, I think these list can be quite useful in order to highlight the possibilities that now exist in CSS3. I am new to web development so I find SM a great resource for getting to know what the capabilities are. However I would agree with Philip, I don’t think that these tutorials should just be taken as they are and applied for the sake of it. More as a point of inspiration.
web designing training in chennai
Post a Comment