Top Ten Web Hacking Techniques of 2010 (Official)

Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.

Since inception of the Top Ten Web Hacking Techniques list, the diversity, volume, and innovation of security research has always been impressive. 2010 produced 69 new attack techniques! This years point-position voting system worked well and the results showed exceptionally strong competition throughout all the entries. In fact, only two entries did not gain any points.

I’d like to take a moment again to thank everyone who took the time to fill out the voting surveys including those who were on this years expert panel. Ed Skoudis (InGuardians Founder & Senior Security Consultant), Giorgio Maone (Author of NoScript), Caleb Sima (CEO, Armorize), Chris Wysopal (Veracode Co-Founder & CTO), Jeff Willams (OWASP Chairman & CEO, Aspect Security), Charlie Miller (Consultant, Independent Security Evaluators), Dan Kaminsky (Director of Pen-Testing, IOActive), Steven Christey (Mitre), and Arian Evans (VP of Operations, WhiteHat Security). Also a big thanks to our sponsors BlackHat, OWASP, various Web security authors, and WhiteHat Security.




Today the polls are close, votes are in, and the official Top Ten Web Hacking Techniques of 2010 has been finalized! For any researcher simple the act of creating something unique enough to appear on the complete list is itself an achievement. To make it on to the top ten though, is well, another matter entirely. These researchers receive special praise amongst their peers who selected them and take their place amongst those highlighted in previous years (2006, 2007, 2008, 2009).


Top honors go to Juliano Rizzo and Thai Duong for their work on the “'Padding Oracle' Crypto Attack” They’ll receive a free pass to attend the BlackHat USA Briefings 2011! (sponsored by Black Hat) and a library of autographed Web security books.




In second place is Samy Kamkar for his work on “Evercookie.” He’ll receive a free pass to OWASP Conference Pass (sponsored by OWASP).






And finally, everyone appearing on the top ten will receive custom designed t-shirt (sponsored by WhiteHat Security).







Top Ten Web Hacking Techniques of 2010!

1) 'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)
Juliano Rizzo (@julianor), Thai Duong (@thaidn)

2) Evercookie
Samy Kamkar (@samykamkar)

3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
Jeremiah Grossman (@jeremiahg)

4) Attacking HTTPS with Cache Injection (Bad Memories)
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh

5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan (@lavakumark)

6) Universal XSS in IE8 (CVE, White Paper)
Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)

7) HTTP POST DoS
Wong Onn Chee, Tom Brennan (@brennantom)

8) JavaSnoop
Arshan Dabirsiaghi (@nahsra)

9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
Robert "RSnake" Hansen (@rsnake)

10) Java Applet DNS Rebinding
Stefano Di Paola (@WisecWisec)


At IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.


The Complete List

1. Evercookie
2. Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
3. Cookie Eviction
4. Converting unimplementable Cookie-based XSS to a persistent attack
5. phpwn: Attack on PHP sessions and random numbers
6. NAT Pinning: Penetrating routers and firewalls from a web page (forcing router to port forward)
7. Mapping a web browser to GPS coordinates via router XSS + Google Location Services without prompting the user
8. XSHM Mark 2
9. MitM DNS Rebinding SSL/TLS Wildcards and XSS
10. Using Cookies For Selective DoS and State Detection
11. Quick Proxy Detection
12. Flash Camera and Mic Remember Function and XSS
13. Improving HTTPS Side Channel Attacks
14. Side Channel Attacks in SSL
15. Turning XSS into Clickjacking
16. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
17. CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
18. Popup & Focus URL Hijacking
19. Hacking Facebook with HTML5
20. Stealing entire Auto-Complete data in Google Chrome
21. Chrome and Safari users open to stealth HTML5 AppCache attack
22. DNS Rebinding on Java Applets
23. Strokejacking
24. The curse of inverse strokejacking
25. Re-visiting JAVA De-serialization: It can't get any simpler than this !!
26. Fooling B64_Encode(Payload) on WAFs and filters
27. MySQL Stacked Queries with SQL Injection...sort of
28. A Twitter DomXss, a wrong fix and something more
29. Get Internal Network Information with Java Applets
30. Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem
31. Java Applet Same IP Host Access
32. ASP.NET 'Padding Oracle' Crypto Attack
33. Posting raw XML cross-domain
34. Generic cross-browser cross-domain theft
    
35. One vector to rule them all
36. HTTP POST DoS
37. Penetrating Intranets through Adobe Flex Applications
38. No Alnum JavaScript (cheat sheet, jjencode demo)
39. Attacking HTTPS with Cache Injection
40. Tapjacking: owning smartphone browsers
41. Breaking into a WPA network with a webpage
42. XSS-Track: How to quietly track a whole website through single XSS
43. Next Generation Clickjacking
44. XSSing client-side dynamic HTML includes by hiding HTML inside images and more
45. Stroke triggered XSS and StrokeJacking
46. Internal Port Scanning via Crystal Reports
47. Lost in Translation (ASP’s HomoXSSuality)
48. Cross Site URL Hijacking by using Error Object in Mozilla Firefox
49. JavaSnoop
50. IIS5.1 Directory Authentication Bypass by using ":$I30:$Index_Allocation"
51. Universal XSS in IE8
52. padding oracle web attack (poet, Padbuster, demo)
53. IIS6/ASP & file upload for fun and profit
54. Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation
55. NoScript Bypass - "Reflective XSS" through Union SQL Poisoning Trick
56. Persistent Cross Interface Attacks
57. Port Scanning with HTML5 and JS-Recon
58. Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers
59. Cracking hashes in the JavaScript cloud with Ravan
60. Will it Blend?
61. Stored XSS Vulnerability @ Amazon
62. Poisoning proxy caches using Java/Flash/Web Sockets
63. How to Conceal XSS Injection in HTML5
64. Expanding the Attack Surface
65. Chronofeit Phishing
66. Non-Obvious (Crypto) Bugs by Example
67. SQLi filter evasion cheat sheet (MySQL)
68. Tabnabbing: A New Type of Phishing Attack
69. UI Redressing: Attacks and Countermeasures Revisited