Monday, February 21, 2011

Top Ten Web Hacking Techniques of 2011

Update 02.14.2011: Open voting for the final 15 is now underway. Vote Now!


This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them.

"Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work."

Current 2011 List
  1. Bypassing Flash’s local-with-filesystem Sandbox
  2. Abusing HTTP Status Codes to Expose Private Information
  3. SpyTunes: Find out what iTunes music someone else has
  4. CSRF: Flash + 307 redirect = Game Over
  5. Close encounters of the third kind (client-side JavaScript vulnerabilities)
  6. Tracking users that block cookies with a HTTP redirect
  7. The Failure of Noise-Based Non-Continuous Audio Captchas
  8. Kindle Touch (5.0) Jailbreak/Root and SSH
  9. NULLs in entities in Firefox
  10. Timing Attacks on CSS Shaders
  11. CSRF with JSON – leveraging XHR and CORS
  12. Double eval() for DOM based XSS
  13. Hidden XSS Attacking the Desktop & Mobile Platforms
  14. Rapid history extraction through non-destructive cache timing (v8)
  15. Lotus Notes Formula Injection
  16. Stripping Referrer for fun and profit
  17. How to upload arbitrary file contents cross-domain (2)
  18. Exploiting the unexploitable XSS with clickjacking
  19. How to get SQL query contents from SQL injection flaw
  20. XSS-Track as a HTML5 WebSockets traffic sniffer
  21. Cross domain content extraction with fake captcha
  22. Autocomplete..again?!
  23. JSON-based XSS exploitation
  24. DNS poisoning via Port Exhaustion
  25. Java Applet Same-Origin Policy Bypass via HTTP Redirect
  26. HOW TO: Spy on the Webcams of Your Website Visitors
  27. Launch any file path from web page
  28. Crowd-sourcing mischief on Google Maps leads customers astray
  29. BEAST
  30. Bypassing Chrome’s Anti-XSS filter
  31. XSS in Skype for iOS
  32. Cookiejacking
  33. Stealth Cookie Stealing (new XSS technique)
  34. SurveyMonkey: IP Spoofing
  35. Using Cross-domain images in WebGL and Chrome 13
  36. Filejacking: How to make a file server from your browser (with HTML5 of course)
  37. Exploitation of “Self-Only” Cross-Site Scripting in Google Code
  38. Expression Language Injection
  39. (DOMinator) Finding DOMXSS with dynamic taint propagation
  40. Facebook: Memorializing a User
  41. How To Own Every User On A Social Networking Site
  42. Text-based CAPTCHA Strengths and Weaknesses
  43. Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
  44. Temporal Session Race Conditions Video 2
  45. Google Chrome/ChromeOS sandbox side step via owning extensions
  46. Excel formula injection in Google Docs
  47. Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
  48. CAPTCHA Hax With TesserCap
  49. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
  50. Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]

Previous Winners
2010 - 'Padding Oracle' Crypto Attack
2009 - Creating a rogue CA certificate
2008 - GIFAR
2007 - XSS Vulnerabilities in Common Shockwave Flash Files
2006 - Web Browser Intranet Hacking / Port Scanning
at

40 comments:

  1. UnknownFebruary 21, 2011 at 11:38 AM

    mana ??
    where the technique ?

    ReplyDelete
  2. albinoFebruary 21, 2011 at 2:33 PM

    Don't forget the awesome http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html

    ReplyDelete
  3. Gilang kurniajiFebruary 21, 2011 at 5:13 PM

    i think this article is a tutorial for hacking. :LOL

    ReplyDelete
  4. Jeremiah GrossmanFebruary 21, 2011 at 6:25 PM

    @ablino: right you are!

    ReplyDelete
  5. SoroushFebruary 22, 2011 at 4:17 AM

    Please check this as well. It contains a few new things.
    http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/
    As we currently have some web app CMS which are vulnerable to this, we can assume it as a bunch of old/new techs.

    ReplyDelete
  6. SoroushFebruary 22, 2011 at 5:13 AM

    Just one thing:
    It is very good idea to have the techniques here from Feb.2011 as we can come here to see the list. However, why don't we do the same in a section in OWASP website? we can have a section for the techniques of each year (before 2006, 2006-2011) after confirming them here.
    We can also add the real new attacks or vulnerability methods to the OWASP related sections.
    In this case, even if you want to close your blog because of any reason (for example because of my comments!!!), this movement will continue! :)
    What's your idea?

    ReplyDelete
  7. Jeremiah GrossmanFebruary 22, 2011 at 8:48 AM

    @Soroush: Another good idea. Anyone should feel free to repurpose the Web Hacking data and post / improve it elsewhere. Including the OWASP.org website. If people would find it more useful there, great!

    For me, I'm completely overwhelmed with current tasks at the moment and do not have the time to create a new wiki environment. If you'd like to do so, you have my blessing. I just humbly request backlinks. :)

    ReplyDelete
  8. Aditya K SoodFebruary 23, 2011 at 7:29 AM

    This comment has been removed by the author.

    ReplyDelete
  9. Aditya K SoodFebruary 23, 2011 at 7:31 AM

    Exploiting Web Virtual Hosting - Automated Host Framing

    This issue is discussed in the HackInTheBox Ezine Issue 5. This paper sheds light on the exploitation of virtual hosts.

    http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf

    ReplyDelete
  10. Ory SegalFebruary 23, 2011 at 11:31 PM

    Hey,

    While not a hacking technique per se, I believe that our whitepaper on client-side JavaScript issues and hybrid JavaScript analysis is worth mentioning here: http://tinyurl.com/5w6koqj

    Maybe it should go on the list?

    ReplyDelete
  11. Jeremiah GrossmanFebruary 24, 2011 at 9:28 AM

    @Ory: Oh boy, right on the edge with this one. :) Although, I've never been particularly stubborn about the purity of the "techniques" that go on the big Top Ten list. Solid research deserves to be highlighted.

    ReplyDelete
  12. SoroushFebruary 28, 2011 at 5:02 AM

    Jeremiah, as I mentioned above, should I publish several 0day vulnerabilities in regarding to the following URL to accept it here? ;)
    http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/

    I will if you want. Please let me know you opinion.

    ReplyDelete
  13. nikosMarch 4, 2011 at 12:37 PM

    wow!!i didnt understand the techniques!

    ReplyDelete
  14. SoroushMarch 11, 2011 at 3:21 AM

    The other reason to beware ExternalInterface.call():
    http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html

    Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS:
    http://soroush.secproject.com/blog/2011/03/flash-externalinterface-call-javascript-injection-%E2%80%93-can-make-the-websites-vulnerable-to-xss/

    ReplyDelete
  15. James KettleMay 25, 2011 at 4:32 AM

    Finding DOMXSS with taint-propagation
    http://blog.mindedsecurity.com/2011/05/dominator-project.html

    'Cookiejacking'
    https://sites.google.com/site/tentacoloviola/cookiejacking

    ReplyDelete
  16. Jeremiah GrossmanJune 8, 2011 at 5:53 PM

    http://www.zurich.ibm.com/~cca/csc2011/talks/pinkas-invited-csc2011.pdf
    Referrer XSS in IE: http://blog.mindedsecurity.com/2011/03/abusing-referrer-on-explorer-for.html
    Cookiejacking: https://sites.google.com/site/tentacoloviola/cookiejacking

    ReplyDelete
  17. ElieJuly 22, 2011 at 11:40 AM

    Tracking users that block cookies with a HTTP redirect http://bit.ly/na7YwZ

    ReplyDelete
  18. ElieJuly 22, 2011 at 11:42 AM

    New technique:
    Tracking users that block cookies with a HTTP redirect :http://bit.ly/na7YwZ

    ReplyDelete
  19. ElieJuly 22, 2011 at 11:43 AM

    New technique: Abusing every web site registration by breaking their audio captchas. http://bit.ly/q89brX

    ReplyDelete
  20. Aditya K SoodOctober 28, 2011 at 3:43 PM

    Extending SQL Injection Attacks Using Buffer Overflows - http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf

    ReplyDelete
  21. Gursev Singh KalraDecember 20, 2011 at 12:48 AM

    This comment has been removed by the author.

    ReplyDelete
  22. Gursev Singh KalraDecember 20, 2011 at 4:25 AM

    Hi Jeremiah,

    I am suggesting two entries from my work.
    1. Evading Content Security Policy With CRLF Injection -- http://gursevkalra.blogspot.com/2011/11/evading-content-security-policy-with.html
    2. CAPTCHA Hax With TesserCap -- http://gursevkalra.blogspot.com/2011/11/captcha-hax-with-tessercap.html

    ReplyDelete
  23. Aditya K SoodDecember 20, 2011 at 8:38 AM

    The very first details of Skype IM (MAC OS X) - Is this the 0day ? - http://secniche.blogspot.com/2011/05/skype-im-mac-os-x-is-this-0day.html

    ReplyDelete
  24. WireghoulDecember 21, 2011 at 4:25 PM

    Plugging myself here:

    http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html

    ReplyDelete
  25. Gursev Singh KalraDecember 22, 2011 at 9:50 PM

    JSON CSRF with Parameter Padding http://gursevkalra.blogspot.com/2011/12/json-csrf-with-parameter-padding.html

    ReplyDelete
  26. utiputi4kaDecember 23, 2011 at 12:51 AM

    Excel formula injection :)

    http://dsecrg.blogspot.com/2011/12/excel-formula-injection-in-google-docs.html

    ReplyDelete
  27. SoroushDecember 30, 2011 at 7:40 PM

    Please check this out as well:
    http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/

    ReplyDelete
  28. Matt JohansenJanuary 2, 2012 at 7:49 PM

    Chrome/ChromeOS sandbox side step via owning extensions and taking advantage of their permissions

    https://media.blackhat.com/bh-us-11/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_WP.pdf

    ReplyDelete
  29. Jeremiah GrossmanJanuary 3, 2012 at 11:14 AM

    @Matt: #45

    @utiputi4ka: #46

    @Soroush: #47

    Thank you for your research gentlemen, and good luck!

    ReplyDelete
  30. AnonymousJanuary 3, 2012 at 6:15 PM

    Hey Jeremiah,

    Did you get a chance to look at my work on TesserCap?

    ReplyDelete
  31. Jeremiah GrossmanJanuary 4, 2012 at 10:52 AM

    @anonymous: normally I don't list "tools", but in your case I made an exception for its uniqueness. Never seen anything like that before and think it could prove useful to many people.

    ReplyDelete
  32. AnonymousJanuary 4, 2012 at 6:50 PM

    thank u Jeremiah.

    ReplyDelete
  33. Gursev Singh KalraJanuary 6, 2012 at 4:37 AM

    Three semicolon vulnerabilities for XSS exploitation
    https://superevr.com/blog/2011/three-semicolon-vulnerabilities/

    ReplyDelete
  34. SoroushJanuary 20, 2012 at 1:31 AM

    @Jeremiah: could you please check this again:
    http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/

    OR

    http://soroush.secproject.com/downloadable/Unrestricted_File_Download_V1.0.pdf

    It was sent to you previously, but it is not on this list.

    ReplyDelete
  35. AnonymousFebruary 7, 2012 at 8:22 AM

    do we have votes this time around also?

    ReplyDelete
  36. LooneyFebruary 11, 2012 at 8:29 PM

    Got a question for you. Please email me

    ibeatz@gmx.com

    ReplyDelete
  37. Jeremiah GrossmanFebruary 13, 2012 at 10:56 AM

    @Anonymous: yes we will, I'm just way behind.

    ReplyDelete
  38. Erlend OftedalFebruary 14, 2012 at 11:59 PM

    HashDOS is missing

    ReplyDelete
  39. Jeremiah GrossmanFebruary 15, 2012 at 10:19 AM

    @Erland: Thank you. I added it as #51 here: https://blog.whitehatsec.com/vote-now-top-ten-web-hacking-techniques-of-2011/

    ReplyDelete
  40. AnonymousApril 1, 2012 at 6:58 AM

    Are we doing the top 10 web hacking techniques for 2012 as well?

    ReplyDelete