Update 01.04.2010: Voting process is commencing this week! Expert judges are Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Romain Gaucher, Steven Christey, Jeff Forristal, and Michal Zalewski.Update: Awesome news, Black Hat is generously sponsoring the effort! The researcher topping the list will be awarded a free pass to attend the BlackHat USA Briefings 2010!
Just 2 weeks left in 2009. Time to start collecting all the latest published research in preparation for the coveted Top Ten Web Hacking Techniques list!
Every year Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. We are not talking about individual vulnerability instances with CVE numbers, nor intrusions / incidents, but the actual new methods of Web attack. Some target the website, some target the browser, or somewhere in between.
Historically many of these works would permanently reside in obscure and overlooked corners of the Web. Now it its fourth year the list provides a centralized reference point and recognizes researchers who have contributed to the advancement of our industry.
The top ten winners will be selected by a panel of judges (names to be announced soon) on the basis of novelty, potential impact, and overall pervasiveness. Those researchers topping the list can expect to receive praise amongst their peers as have those in past years (2006, 2007, 2008).
Then coming up at IT-Defense (Feb.) and RSA USA 2010 (Mar.) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. Audiences get an opportunity to better understand the newest attacks believed most likely to be used against us in the future.
To make all this happen we are going to need a lot of help from the community. At the bottom of this post will be the living master list of everything published. If anything is missing, and we know for a fact there is, please comment containing the link to the research. We understand that while not every technique is as powerful as another, please make every effort to include them anyway, nothing should be considered too insignificant. You never know what method might be found useful another researcher down the road.
Thank you and good luck!
The Complete List
- Persistent Cookies and DNS Rebinding Redux
- iPhone SSL Warning and Safari Phishing
- RFC 1918 Blues
- Slowloris HTTP DoS
- CSRF And Ignoring Basic/Digest Auth
- Hash Information Disclosure Via Collisions - The Hard Way
- Socket Capable Browser Plugins Result In Transparent Proxy Abuse
- XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+
- Session Fixation Via DNS Rebinding
- Quicky Firefox DoS
- DNS Rebinding for Credential Brute Force
- SMBEnum
- DNS Rebinding for Scraping and Spamming
- SMB Decloaking
- De-cloaking in IE7.0 Via Windows Variables
- itms Decloaking
- Flash Origin Policy Issues
- Cross-subdomain Cookie Attacks
- HTTP Parameter Pollution (HPP)
- How to use Google Analytics to DoS a client from some website.
- Our Favorite XSS Filters and how to Attack them
- Location based XSS attacks
- PHPIDS bypass
- I know what your friends did last summer
- Detecting IE in 12 bytes
- Detecting browsers javascript hacks
- Inline UTF-7 E4X javascript hijacking
- HTML5 XSS
- Opera XSS vectors
- New PHPIDS vector
- Bypassing CSP for fun, no profit
- Twitter misidentifying context
- Ping pong obfuscation
- HTML5 new XSS vectors
- About CSS Attacks
- Web pages Detecting Virtualized Browsers and other tricks
- Results, Unicode Left/Right Pointing Double Angel Quotation Mark
- Detecting Private Browsing Mode
- Cross-domain search timing
- Bonus Safari XXE (only affecting Safari 4 Beta)
- Apple's Safari 4 also fixes cross-domain XML theft
- Apple's Safari 4 fixes local file theft attack
- A more plausible E4X attack
- A brief description of how to become a CA
- Creating a rogue CA certificate
- Browser scheme/slash quirks
- Cross-protocol XSS with non-standard service ports
- Forget sidejacking, clickjacking, and carjacking: enter “Formjacking”
- MD5 extension attack
- Attack - PDF Silent HTTP Form Repurposing Attacks
- XSS Relocation Attacks through Word Hyperlinking
- Hacking CSRF Tokens using CSS History Hack
- Hijacking Opera’s Native Page using malicious RSS payloads
- Millions of PDF invisibly embedded with your internal disk paths
- Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
- Pwning Opera Unite with Inferno’s Eleven
- Using Blended Browser Threats involving Chrome to steal files on your computer
- Bypassing OWASP ESAPI XSS Protection inside Javascript
- Hijacking Safari 4 Top Sites with Phish Bombs
- Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency
- Gmail - Google Docs Cookie Hijacking through PDF Repurposing & PDF
- IE8 Link Spoofing - Broken Status Bar Integrity
- Blind SQL Injection: Inference thourgh Underflow exception
- Exploiting Unexploitable XSS
- Clickjacking & OAuth
- Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk
- Active Man in the Middle Attacks
- Cross-Site Identification (XSid)
- Microsoft IIS with Metasploit evil.asp;.jpg
- MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency
- Generic cross-browser cross-domain theft
- Popup & Focus URL Hijacking
- Advanced SQL injection to operating system full control (whitepaper)
- Expanding the control over the operating system from the database
- HTML+TIME XSS attacks
- Enumerating logins via Abuse of Functionality vulnerabilities
- Hellfire for redirectors
- DoS attacks via Abuse of Functionality vulnerabilities
- URL Spoofing vulnerability in bots of search engines (#2)
- URL Hiding - new method of URL Spoofing attacks
- Exploiting Facebook Application XSS Holes to Make API Requests
- Unauthorized TinyURL URL Enumeration Vulnerability
36 comments:
MD5 extension attack for sure!
http://netifera.com/research
A lot of sites ARE STILL affected (some BIG)
Attack - PDF Silent HTTP Form Repurposing Attacks
http://www.secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf
XSS Relocation Attacks through Word Hyperlinking
http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf
Thanks all, added (49, 50, 51)
Hi Jeremiah,
Here are some of my contributions-
http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/
http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/
http://securethoughts.com/2009/08/bypassing-owasp-esapi-xss-protection-inside-javascript/
http://securethoughts.com/2009/11/using-blended-browser-threats-involving-chrome-to-steal-files-on-your-computer/
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/
http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/
http://securethoughts.com/2009/11/millions-of-pdf-invisibly-embedded-with-your-internal-disk-paths/
http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicious-rss-payloads/
http://securethoughts.com/2009/07/rsnakes-javascript-ping-sweep-attack-extended-for-internet-explorer-8/
http://securethoughts.com/2009/02/unauthorized-tinyurl-url-enumeration-vulnerability/
Regards,
Inferno
Thanks Inferno, added all except one. (#52 - # 59)
Hi Jer
Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency
http://zeroknock.blogspot.com/2009/12/yahoo-babelfish-possible-inline-iframe.html
Gmail - Google Docs Cookie Hijacking through PDF Repurposing
http://secniche.org/gmd_hijack/gc_hijack.xhtml
http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf
IE8 Link Spoofing - Broken Status Bar Integrity
http://secniche.org/ie_spoof_myth/
@0kn0ck, added #60
@anonymous, added #61 / #62
Blind SQL Injection: Inference thourgh Underflow exception
http://dbellucci.blogspot.com/2009/12/blind-sql-injection-inference-through.html
@belch, thank you. #63
http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/
http://stephensclafani.com/2009/05/04/clickjacking-oauth/
@Stephen, thank you. Added #64 and #65
"iPhone SSL Warning and Safari Phishing" attack points to 404 page.
The correct hyper link would be,
http://ha.ckers.org/blog/20090329/iphone-ssl-warning-and-safari-phishing/
@Amish, thanks fixed.
This new type of attack is generic , will work on any system/OS/browser, doesn't relate to any implementation bug, and shows how can hackers penetrate VPN or even disconnected networks
Active Man in the Middle Attacks:
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Happy holiday season,
Adi
Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk
http://zeroknock.blogspot.com/2009/12/google-translate-google-user-content.html
Hi Jeremiah,
This new type of attack is generic , will work on any system/OS/browser, doesn't rely on any implementation bug, and shows how can hackers penetrate VPN or even closed networks.
Active Man in the Middle Attacks:
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Happy holiday season,
Adi
Jeremiah!
List of 2009 Web Hacking Techniques is a good thing (as it were with previous lists for 2007 and 2008).
Soon I'll write you about my 2009's web hacking techniques.
P.S.
Happy holidays to everyone.
Current list is interesting, but I must note about some of its items.
There are contributions by other researchers which is just the same as my own, but I did my own months and even years earlier :-). Like 0kn0ck's one about Yahoo Babelfish (which mentioned as #60). And also new 0kn0ck's comment about Google Translate.
I wrote about this hole in Yahoo Babelfish (on both babelfish.altavista.com and babelfish.yahoo.com) in beginning of 2009 (and found hole at 25.04.2008 and informed Yahoo which ignored to fix it).
About such XSS attacks which I called Remote XSS/HTML Include (and fun guys called it Frame Injection) I wrote many times at my site for last three years.
Like vulnerabilities at images.google.com (in 2007), images.search.yahoo.com (in 2008) and www.google.com and translate.google.com (in 2008) and at many other sites. And in all cases web site owners ignored to fix the holes.
So I recommend 0kn0ck to not touch my holes (which I found a long time before him) and find others (new ones) for himself ;-). I very often see such cases, when other people found my holes after months and years after me :-). There was such case with hole in images.google.com, and here are cases with Yahoo Babelfish and Google Translate. Anyway I wish everyone Merry Christmas and Happy New Year!
A new type of attack allowing cross-site identification using out of context information from social networks.
http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html
@0kn0ck, added #66. And please have a look at MustLive's work he cited. It does appear to look similar, but if not, would be helpful to know why. Either way, researchers including myself do cross paths with the work of others without knowing it.
@adi, added #67 - thank you.
@ronen, added #68 thanks.
Jer
There is no point of cross path as such. Primarily it is hard for a researcher to visit every blog or vice versa. It may be result as a same thing but the attack end points and explanation could vary depending to the disclosure done to the requisite vendor and their response.
@0kn0ck understood, which is a big reason why I've been making such lists. To be a repository for reference if nothing else.
Jer
That's a great step.Another interesting discussion. Have a look:
http://zeroknock.blogspot.com/2009/12/google-chrome-webkit-msword-scripting.html
@0kn0ck, added #70
Very cool cross-browser cross-domain css exploit by Chris Evans
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
@Inferno, thanks added #70
Research titled "Advanced SQL injection to operating system full control" slides and whitepaper.
Research titled "Expanding the control over the operating system from the database" slides
It's by the same author of sqlmap. The best in the field!
I think we can add HTML+TIME XSS attacks working on all IEs from 5.5 to 8 like tweeted here:
https://twitter.com/0x6D6172696F/status/7197250108
https://twitter.com/0x6D6172696F/status/7196350903
https://twitter.com/0x6D6172696F/status/7196312532
https://twitter.com/0x6D6172696F/status/7180793115
Introduces loads of new possible vectors mostly unknown by devs and not filtered by common WAF/filter solutions.
Hey Jeremiah,
Just a heads up wrt #68, the name was changed to Cross-Site Identification (or XSId, of course :) ).
I think this name much better reflects the real impact of the issue.
A.D.
@Avi - updated.
Jeremiah!
Yesterday I wrote you a new letter (in addition to my first letter) with other my 2009's researches.
And also with mentioning of Soroush Dalili's research on IIS, which you also can look at. As I see you already mentioned it in #69 (you can add a link to pdf with advisory too).
My contribution:
* Cross-Web2.0 Scripting
http://aviv.raffon.net/2009/05/18/CrossWeb20Scripting.aspx
* Month of Twitter Bugs
http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
http://www.twitpwn.com
* Flash Shared Object - Bypass “Private Browsing” mode
http://aviv.raffon.net/2009/08/17/NotSoPrivateAfterAll.aspx
Il n'ya pas de point de croix chemin en tant que telle. Principalement, il est difficile pour un chercheur de visiter tous les blogs, ou vice versa. Il peut être le résultat en une même chose, mais les points d'extrémité d'attaque et explication pourrait varier en fonction de la divulgation faite au vendeur nécessaires et leur réponse.
Post a Comment