The diversity, volume, and innovation of the research was impressive. Competition was as fierce as ever and the judges had their work cut out. Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Romain Gaucher, Steven Christey, Jeff Forristal, and Michal Zalewski were tasked with ranking the field based upon novelty, impact, and overall pervasiveness. For any researcher simply the act of creating something unique enough to appear on the list is itself an achievement. Today the polls are close, votes are in, and the top ten list has been finalized. Researchers making the cut can expect to receive praise amongst their peers and take their place amongst those from previous years (2006, 2007, 2008).
Top honors go to Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger for their work on “Creating a rogue CA certificate.” The judges were convinced by no small margin that this entry stood head and shoulders above the rest. The team will be awarded a free pass to attend the BlackHat USA Briefings 2010! (generously sponsored by Black Hat)
Top Ten Web Hacking Techniques of 2009!
1. Creating a rogue CA certificate
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
2. HTTP Parameter Pollution (HPP)
Luca Carettoni, Stefano diPaola
3. Flickr's API Signature Forgery Vulnerability (MD5 extension attack)
Thai Duong and Juliano Rizzo
4. Cross-domain search timing
Chris Evans
5. Slowloris HTTP DoS
Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic - “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)
6. Microsoft IIS 0-Day Vulnerability Parsing Files (semi‐colon bug)
Soroush Dalili
7. Exploiting unexploitable XSS
Stephen Sclafani
8. Our Favorite XSS Filters and how to Attack them
Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)
9. RFC1918 Caching Security Issues
Robert Hansen
10. DNS Rebinding (3-part series Persistent Cookies, Scraping & Spamming, and Session Fixation)
Robert Hansen
Congratulations to all!
Coming up at IT-Defense (Feb. 3 - 5) and RSA USA 2010 (Mar. 1 - 5) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future.
The Complete List
- Persistent Cookies and DNS Rebinding Redux
- iPhone SSL Warning and Safari Phishing
- RFC 1918 Blues
- Slowloris HTTP DoS
- CSRF And Ignoring Basic/Digest Auth
- Hash Information Disclosure Via Collisions - The Hard Way
- Socket Capable Browser Plugins Result In Transparent Proxy Abuse
- XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+
- Session Fixation Via DNS Rebinding
- Quicky Firefox DoS
- DNS Rebinding for Credential Brute Force
- SMBEnum
- DNS Rebinding for Scraping and Spamming
- SMB Decloaking
- De-cloaking in IE7.0 Via Windows Variables
- itms Decloaking
- Flash Origin Policy Issues
- Cross-subdomain Cookie Attacks
- HTTP Parameter Pollution (HPP)
- How to use Google Analytics to DoS a client from some website.
- Our Favorite XSS Filters and how to Attack them
- Location based XSS attacks
- PHPIDS bypass
- I know what your friends did last summer
- Detecting IE in 12 bytes
- Detecting browsers javascript hacks
- Inline UTF-7 E4X javascript hijacking
- HTML5 XSS
- Opera XSS vectors
- New PHPIDS vector
- Bypassing CSP for fun, no profit
- Twitter misidentifying context
- Ping pong obfuscation
- HTML5 new XSS vectors
- About CSS Attacks
- Web pages Detecting Virtualized Browsers and other tricks
- Results, Unicode Left/Right Pointing Double Angel Quotation Mark
- Detecting Private Browsing Mode
- Cross-domain search timing
- Bonus Safari XXE (only affecting Safari 4 Beta)
- Apple's Safari 4 also fixes cross-domain XML theft
- Apple's Safari 4 fixes local file theft attack
- A more plausible E4X attack
- A brief description of how to become a CA
- Creating a rogue CA certificate
- Browser scheme/slash quirks
- Cross-protocol XSS with non-standard service ports
- Forget sidejacking, clickjacking, and carjacking: enter “Formjacking”
- MD5 extension attack
- Attack - PDF Silent HTTP Form Repurposing Attacks
- XSS Relocation Attacks through Word Hyperlinking
- Hacking CSRF Tokens using CSS History Hack
- Hijacking Opera’s Native Page using malicious RSS payloads
- Millions of PDF invisibly embedded with your internal disk paths
- Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
- Pwning Opera Unite with Inferno’s Eleven
- Using Blended Browser Threats involving Chrome to steal files on your computer
- Bypassing OWASP ESAPI XSS Protection inside Javascript
- Hijacking Safari 4 Top Sites with Phish Bombs
- Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency
- Gmail - Google Docs Cookie Hijacking through PDF Repurposing & PDF
- IE8 Link Spoofing - Broken Status Bar Integrity
- Blind SQL Injection: Inference thourgh Underflow exception
- Exploiting Unexploitable XSS
- Clickjacking & OAuth
- Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk
- Active Man in the Middle Attacks
- Cross-Site Identification (XSid)
- Microsoft IIS with Metasploit evil.asp;.jpg
- MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency
- Generic cross-browser cross-domain theft
- Popup & Focus URL Hijacking
- Advanced SQL injection to operating system full control (whitepaper)
- Expanding the control over the operating system from the database
- HTML+TIME XSS attacks
- Enumerating logins via Abuse of Functionality vulnerabilities
- Hellfire for redirectors
- DoS attacks via Abuse of Functionality vulnerabilities
- URL Spoofing vulnerability in bots of search engines (#2)
- URL Hiding - new method of URL Spoofing attacks
- Exploiting Facebook Application XSS Holes to Make API Requests
- Unauthorized TinyURL URL Enumeration Vulnerability
 
9 comments:
w00t w00t
wait, rogue cert is 2008! chirstmas 2008 at CCC and all the research was done in 2008! And moxie attack is real 2009 and is more useful, usable, people can repeat it and is a new bug. The rogue CA cert is well known md5 coliisions being abused
debate!
Nice Top Ten web hacks and the whole list of the hacks!
My congratulation to authors who made the Top Ten.
> Our Favorite XSS Filters and how to Attack them
For somebody they are favorite, for somebody they are not :-). But with no doubts all XSS Filters have holes which can be used to bypass them (and last issue with XSS Filter in IE8 is confirmation to it).
Anonymous
It's interesting note. Wait for what Jeremiah will say about it.
Your arguments is sufficient, but it was better to said it before Top Ten was selected. I heard about both rogue cert and Moxie's works (at the time that you mentioned).
Thanks a lot for links!
@anonymous, Rouge Cert was "December 30, 2008", and the news really didn't break until into 2009. Either way it wasn't consider for our list before, so we included it... and for good reason obviously.
The bug wasn't found by Mr.Dalili, the original bug has been published here http://www.80sec.com/microsoft-internet-infomation-server-6-isapi-filename-analytic-vulnerabilitie.html few months ago
im sorry for your childish thoughts
Hey.. very nice and useful information. did you mention about PHP injection??? check out my blog for some more hacking?????
Thanks a lot.I have searched many sites.But i got the good idea from your site.Some links are very useful to know something about PHP.. :)
Post a Comment