Since inception of the Top Ten Web Hacking Techniques list, the diversity, volume, and innovation of security research has always been impressive. 2010 produced 69 new attack techniques! This years point-position voting system worked well and the results showed exceptionally strong competition throughout all the entries. In fact, only two entries did not gain any points.
I’d like to take a moment again to thank everyone who took the time to fill out the voting surveys including those who were on this years expert panel. Ed Skoudis (InGuardians Founder & Senior Security Consultant), Giorgio Maone (Author of NoScript), Caleb Sima (CEO, Armorize), Chris Wysopal (Veracode Co-Founder & CTO), Jeff Willams (OWASP Chairman & CEO, Aspect Security), Charlie Miller (Consultant, Independent Security Evaluators), Dan Kaminsky (Director of Pen-Testing, IOActive), Steven Christey (Mitre), and Arian Evans (VP of Operations, WhiteHat Security). Also a big thanks to our sponsors BlackHat, OWASP, various Web security authors, and WhiteHat Security.
Today the polls are close, votes are in, and the official Top Ten Web Hacking Techniques of 2010 has been finalized! For any researcher simple the act of creating something unique enough to appear on the complete list is itself an achievement. To make it on to the top ten though, is well, another matter entirely. These researchers receive special praise amongst their peers who selected them and take their place amongst those highlighted in previous years (2006, 2007, 2008, 2009).
Top honors go to Juliano Rizzo and Thai Duong for their work on the “'Padding Oracle' Crypto Attack” They’ll receive a free pass to attend the BlackHat USA Briefings 2011! (sponsored by Black Hat) and a library of autographed Web security books.
In second place is Samy Kamkar for his work on “Evercookie.” He’ll receive a free pass to OWASP Conference Pass (sponsored by OWASP).
And finally, everyone appearing on the top ten will receive custom designed t-shirt (sponsored by WhiteHat Security).
Top Ten Web Hacking Techniques of 2010!
1) 'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)
Juliano Rizzo (@julianor), Thai Duong (@thaidn)
Samy Kamkar (@samykamkar)
3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
Jeremiah Grossman (@jeremiahg)
4) Attacking HTTPS with Cache Injection (Bad Memories)
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan (@lavakumark)
6) Universal XSS in IE8 (CVE, White Paper)
Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)
7) HTTP POST DoS
Wong Onn Chee, Tom Brennan (@brennantom)
Arshan Dabirsiaghi (@nahsra)
Robert "RSnake" Hansen (@rsnake)
10) Java Applet DNS Rebinding
At IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.
The Complete List
- Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
- Cookie Eviction
- Converting unimplementable Cookie-based XSS to a persistent attack
- phpwn: Attack on PHP sessions and random numbers
- NAT Pinning: Penetrating routers and firewalls from a web page (forcing router to port forward)
- Mapping a web browser to GPS coordinates via router XSS + Google Location Services without prompting the user
- XSHM Mark 2
- MitM DNS Rebinding SSL/TLS Wildcards and XSS
- Using Cookies For Selective DoS and State Detection
- Quick Proxy Detection
- Flash Camera and Mic Remember Function and XSS
- Improving HTTPS Side Channel Attacks
- Side Channel Attacks in SSL
- Turning XSS into Clickjacking
- Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
- Popup & Focus URL Hijacking
- Hacking Facebook with HTML5
- Stealing entire Auto-Complete data in Google Chrome
- Chrome and Safari users open to stealth HTML5 AppCache attack
- DNS Rebinding on Java Applets
- The curse of inverse strokejacking
- Re-visiting JAVA De-serialization: It can't get any simpler than this !!
- Fooling B64_Encode(Payload) on WAFs and filters
- MySQL Stacked Queries with SQL Injection...sort of
- A Twitter DomXss, a wrong fix and something more
- Get Internal Network Information with Java Applets
- Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem
- Java Applet Same IP Host Access
- ASP.NET 'Padding Oracle' Crypto Attack
- Posting raw XML cross-domain
- Generic cross-browser cross-domain theft
- One vector to rule them all
- HTTP POST DoS
- Penetrating Intranets through Adobe Flex Applications
- Attacking HTTPS with Cache Injection
- Tapjacking: owning smartphone browsers
- Breaking into a WPA network with a webpage
- XSS-Track: How to quietly track a whole website through single XSS
- Next Generation Clickjacking
- XSSing client-side dynamic HTML includes by hiding HTML inside images and more
- Stroke triggered XSS and StrokeJacking
- Internal Port Scanning via Crystal Reports
- Lost in Translation (ASP’s HomoXSSuality)
- Cross Site URL Hijacking by using Error Object in Mozilla Firefox
- IIS5.1 Directory Authentication Bypass by using ":$I30:$Index_Allocation"
- Universal XSS in IE8
- padding oracle web attack (poet, Padbuster, demo)
- IIS6/ASP & file upload for fun and profit
- Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation
- NoScript Bypass - "Reflective XSS" through Union SQL Poisoning Trick
- Persistent Cross Interface Attacks
- Port Scanning with HTML5 and JS-Recon
- Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers
- Will it Blend?
- Stored XSS Vulnerability @ Amazon
- Poisoning proxy caches using Java/Flash/Web Sockets
- How to Conceal XSS Injection in HTML5
- Expanding the Attack Surface
- Chronofeit Phishing
- Non-Obvious (Crypto) Bugs by Example
- SQLi filter evasion cheat sheet (MySQL)
- Tabnabbing: A New Type of Phishing Attack
- UI Redressing: Attacks and Countermeasures Revisited