Supreme honors go to Billy Rios, Nathan McFeters, Rob Carter, and John Heasman for GIFAR! The judges were convinced their work stood out amongst the field. Beyond industry recognition, they also will receive the free pass to Black Hat USA 2009 (generously sponsored by Black Hat)! Now they have to fight over it. ;)
Congratulations to all!
Coming up at SnowFROC AppSec 2009 and RSA Conference 2009 it will be my great privilege to highlight the results. Each of the top ten techniques will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future -- some of which already have.
Top Ten Web Hacking Techniques of 2008!
1. GIFAR
(Billy Rios, Nathan McFeters, Rob Carter, and John Heasman)
2. Breaking Google Gears' Cross-Origin Communication Model
(Yair Amit)
3. Safari Carpet Bomb
(Nitesh Dhanjani)
4. Clickjacking / Videojacking
(Jeremiah Grossman and Robert Hansen)
5. A Different Opera
(Stefano Di Paola)
6. Abusing HTML 5 Structured Client-side Storage
(Alberto Trivero)
7. Cross-domain leaks of site logins via Authenticated CSS
(Chris Evans and Michal Zalewski)
8. Tunneling TCP over HTTP over SQL Injection
(Glenn Wilkinson, Marco Slaviero and Haroon Meer)
9. ActiveX Repurposing
(Haroon Meer)
10. Flash Parameter Injection
(Yuval Baror, Ayal Yogev, and Adi Sharabani)
The List
- CUPS Detection
- CSRFing the uTorrent plugin
- Clickjacking / Videojacking
- Bypassing URL Authentication and Authorization with HTTP Verb Tampering
- I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
- Safari Carpet Bomb
- Flash clipboard Hijack
- Flash Internet Explorer security model bug
- Frame Injection Fun
- Free MacWorld Platinum Pass? Yes in 2008!
- Diminutive Worm, 161 byte Web Worm
- SNMP XSS Attack (1)
- Res Timing File Enumeration Without JavaScript in IE7.0
- Stealing Basic Auth with Persistent XSS
- Smuggling SMTP through open HTTP proxies
- Collecting Lots of Free 'Micro-Deposits'
- Using your browser URL history to estimate gender
- Cross-site File Upload Attacks
- Same Origin Bypassing Using Image Dimensions
- HTTP Proxies Bypass Firewalls
- Join a Religion Via CSRF
- Cross-domain leaks of site logins via Authenticated CSS
- JavaScript Global Namespace Pollution
- GIFAR
- HTML/CSS Injections - Primitive Malicious Code
- Hacking Intranets Through Web Interfaces
- Cookie Path Traversal
- Racing to downgrade users to cookie-less authentication
- MySQL and SQL Column Truncation Vulnerabilities
- Building Subversive File Sharing With Client Side Applications
- Firefox XML injection into parse of remote XML
- Firefox cross-domain information theft (simple text strings, some CSV)
- Firefox 2 and WebKit nightly cross-domain image theft
- Browser's Ghost Busters
- Exploiting XSS vulnerabilities on cookies
- Breaking Google Gears' Cross-Origin Communication Model
- Flash Parameter Injection
- Cross Environment Hopping
- Exploiting Logged Out XSS Vulnerabilities
- Exploiting CSRF Protected XSS
- ActiveX Repurposing, (1, 2)
- Tunneling tcp over http over sql-injection
- Arbitrary TCP over uploaded pages
- Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
- JavaScript Code Flow Manipulation
- Common localhost dns misconfiguration can lead to "same site" scripting
- Pulling system32 out over blind SQL Injection
- Dialog Spoofing - Firefox Basic Authentication
- Skype cross-zone scripting vulnerability
- Safari pwns Internet Explorer
- IE "Print Table of Links" Cross-Zone Scripting Vulnerability
- A different Opera
- Abusing HTML 5 Structured Client-side Storage
- SSID Script Injection
- DHCP Script Injection
- File Download Injection
- Navigation Hijacking (Frame/Tab Injection Attacks)
- UPnP Hacking via Flash
- Total surveillance made easy with VoIP phone
- Social Networks Evil Twin Attacks
- Recursive File Include DoS
- Multi-pass filters bypass
- Session Extending
- Code Execution via XSS (1)
- Redirector’s hell
- Persistent SQL Injection
- JSON Hijacking with UTF-7
- SQL Smuggling
- Abusing PHP Sockets (1, 2)
- CSRF on Novell GroupWise WebAccess
26 comments:
congrats
and BOOOOOO
LOL. Do a mapping to source code solutions if you like. :)
Thanks for the recognition!
We'll have a Rock Band 2 guitar competition to see who the ultimate winner of the BH ticket is.
-Nate
hahah, take a picture! Hackers playing Rock Band. Will rock for BH ticket! :)
how come the activeX repurposing has 3 links at the bottom but only 1 at the top?
I limited all the top ten links to one for cosmetic purposes. Had planned to add any useful additional reference links to the index as they come up.
congratulations all, although I do not completely agree :)
And the real winner was....
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
I agree with Gareth on that one... while I was glad to win the pwnie this year, I mentioned at the show the only reason Dowd lost out was cause he was a judge.
He easily could have won this, and def. should've been on the list.
To me, the only reason GIFAR was all that interesting was that it provided a way to compromise something more than just user data without a memory corruption.
Eh, I was planning to ignore this, since I always disagree with these lists, but #2 just makes me bitter since they didn't even realise the full potential of it with Firefox/E4X (slides 26-27 here: http://powerofcommunity.net/poc2008/kuza55.pdf and since it seems they're hosting my old slides there, there are some slides with more details (slides 54-57) here: http://www.ruxcon.org.au/files/2008/Attacking_Rich_Internet_Applications.pdf)
P.S. Congrats Billy, Nate, Rob & John :) Though given your employers usually pay for blackhat tickets, I'm not really sure what the benefit there is ;p
Thanks for the congrats Kuza! Yeah, it's tough economic times though man, you never know... that ticket might come in handy.
Maybe we'll donate it to you though.... of course, you'd still have to get the flight covered.
Good to see some South Africans on the list. Kudos guys!
And ACSRF ? :)
http://esl.epitech.eu/acsrf
I congratulate the winners - the authors of GIFAR. And all authors of top 10 web hacking techniques.
GIFAR is nice, but all top 10 techniques are nice. All web hacks of 2008 are interesting.
Thanks MustLive!
I agree, I think the best part of this is not some award, but the acknowledgement of some real interesting research all in one place.
-Nate
congrats Nate and company! there were very interesting submissions, although i must say im surprised by some of the appearances in the top 10 list.
Congrats...Not sure I agree with the top 10, but then putting a list together that security professional on agree is an excercise in futility.
thx everybody. there were a lot of great techniques this year. glad i wasn't a judge ;)
Congrats to all.
The gifar hack is really very interesting thinking.
My choice for the "chutzpah" award (if there was such a thing) is the CSS hack (number 7). It is very simple and effective.
South Africa has about 4 banks and I actually implemented number 7 in about half an hour, during a meeting that was very boring.
And it amazed people. (Actually shocked ... which is good for Security awareness)
Hey Jeremiah. Excellent read, I'm glad our work impressed the panel! As an aside, and completely vain attempt to get my name higher in Google rankings (who does that? ;) ) could you
s/Willinson/Wilkinson for the SensePost number 8 entry? Might also be more useful to link to www.sensepost.com/research/reDuh/ instead of the direct link to the tool, as there's some blarb to read there.
Glenn
@Glenn, first great work on the research and congratulations on making the list! Made the corrections you specified, sorry for the delay.
@Jeremiah. Thanks for the kind words and update!
Glenn
This is an awesome top ten list Jeremiah, really interesting hacks. You can post this to our site http://www.toptentopten.com/ and then link back to your site. We are looking for content and in return our users will track back to your site. The coolest feature is you can let other people vote on the rankings of your list.
Thanks for sharing results, Jeremiah. Great resources in 1 place. I shared a link to here on Twitter too (smile). Hope your traffic surges; good stuff for professionals.
@CheriSigmon
@Rob, me too! So many great techniques. You know there has got to be some sick combos one can do -- especially considering all the stuff from the last two years.
@Cheri, thank you, glad you liked it. It is good to have all this stuff in one spot.
Post a Comment