This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them.
"Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work."
Current 2011 List
- Bypassing Flash’s local-with-filesystem Sandbox
- Abusing HTTP Status Codes to Expose Private Information
- SpyTunes: Find out what iTunes music someone else has
- CSRF: Flash + 307 redirect = Game Over
- Close encounters of the third kind (client-side JavaScript vulnerabilities)
- Tracking users that block cookies with a HTTP redirect
- The Failure of Noise-Based Non-Continuous Audio Captchas
- Kindle Touch (5.0) Jailbreak/Root and SSH
- NULLs in entities in Firefox
- Timing Attacks on CSS Shaders
- CSRF with JSON – leveraging XHR and CORS
- Double eval() for DOM based XSS
- Hidden XSS Attacking the Desktop & Mobile Platforms
- Rapid history extraction through non-destructive cache timing (v8)
- Lotus Notes Formula Injection
- Stripping Referrer for fun and profit
- How to upload arbitrary file contents cross-domain (2)
- Exploiting the unexploitable XSS with clickjacking
- How to get SQL query contents from SQL injection flaw
- XSS-Track as a HTML5 WebSockets traffic sniffer
- Cross domain content extraction with fake captcha
- Autocomplete..again?!
- JSON-based XSS exploitation
- DNS poisoning via Port Exhaustion
- Java Applet Same-Origin Policy Bypass via HTTP Redirect
- HOW TO: Spy on the Webcams of Your Website Visitors
- Launch any file path from web page
- Crowd-sourcing mischief on Google Maps leads customers astray
- BEAST
- Bypassing Chrome’s Anti-XSS filter
- XSS in Skype for iOS
- Cookiejacking
- Stealth Cookie Stealing (new XSS technique)
- SurveyMonkey: IP Spoofing
- Using Cross-domain images in WebGL and Chrome 13
- Filejacking: How to make a file server from your browser (with HTML5 of course)
- Exploitation of “Self-Only” Cross-Site Scripting in Google Code
- Expression Language Injection
- (DOMinator) Finding DOMXSS with dynamic taint propagation
- Facebook: Memorializing a User
- How To Own Every User On A Social Networking Site
- Text-based CAPTCHA Strengths and Weaknesses
- Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
- Temporal Session Race Conditions Video 2
- Google Chrome/ChromeOS sandbox side step via owning extensions
- Excel formula injection in Google Docs
- Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
- CAPTCHA Hax With TesserCap
- Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
- Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]
Previous Winners
2010 - 'Padding Oracle' Crypto Attack
2009 - Creating a rogue CA certificate
2008 - GIFAR
2007 - XSS Vulnerabilities in Common Shockwave Flash Files
2006 - Web Browser Intranet Hacking / Port Scanning
40 comments:
mana ??
where the technique ?
Don't forget the awesome http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html
i think this article is a tutorial for hacking. :LOL
@ablino: right you are!
Please check this as well. It contains a few new things.
http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/
As we currently have some web app CMS which are vulnerable to this, we can assume it as a bunch of old/new techs.
Just one thing:
It is very good idea to have the techniques here from Feb.2011 as we can come here to see the list. However, why don't we do the same in a section in OWASP website? we can have a section for the techniques of each year (before 2006, 2006-2011) after confirming them here.
We can also add the real new attacks or vulnerability methods to the OWASP related sections.
In this case, even if you want to close your blog because of any reason (for example because of my comments!!!), this movement will continue! :)
What's your idea?
@Soroush: Another good idea. Anyone should feel free to repurpose the Web Hacking data and post / improve it elsewhere. Including the OWASP.org website. If people would find it more useful there, great!
For me, I'm completely overwhelmed with current tasks at the moment and do not have the time to create a new wiki environment. If you'd like to do so, you have my blessing. I just humbly request backlinks. :)
Exploiting Web Virtual Hosting - Automated Host Framing
This issue is discussed in the HackInTheBox Ezine Issue 5. This paper sheds light on the exploitation of virtual hosts.
http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf
Hey,
While not a hacking technique per se, I believe that our whitepaper on client-side JavaScript issues and hybrid JavaScript analysis is worth mentioning here: http://tinyurl.com/5w6koqj
Maybe it should go on the list?
@Ory: Oh boy, right on the edge with this one. :) Although, I've never been particularly stubborn about the purity of the "techniques" that go on the big Top Ten list. Solid research deserves to be highlighted.
Jeremiah, as I mentioned above, should I publish several 0day vulnerabilities in regarding to the following URL to accept it here? ;)
http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/
I will if you want. Please let me know you opinion.
wow!!i didnt understand the techniques!
The other reason to beware ExternalInterface.call():
http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS:
http://soroush.secproject.com/blog/2011/03/flash-externalinterface-call-javascript-injection-%E2%80%93-can-make-the-websites-vulnerable-to-xss/
Finding DOMXSS with taint-propagation
http://blog.mindedsecurity.com/2011/05/dominator-project.html
'Cookiejacking'
https://sites.google.com/site/tentacoloviola/cookiejacking
http://www.zurich.ibm.com/~cca/csc2011/talks/pinkas-invited-csc2011.pdf
Referrer XSS in IE: http://blog.mindedsecurity.com/2011/03/abusing-referrer-on-explorer-for.html
Cookiejacking: https://sites.google.com/site/tentacoloviola/cookiejacking
Tracking users that block cookies with a HTTP redirect http://bit.ly/na7YwZ
New technique:
Tracking users that block cookies with a HTTP redirect :http://bit.ly/na7YwZ
New technique: Abusing every web site registration by breaking their audio captchas. http://bit.ly/q89brX
Extending SQL Injection Attacks Using Buffer Overflows - http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf
Hi Jeremiah,
I am suggesting two entries from my work.
1. Evading Content Security Policy With CRLF Injection -- http://gursevkalra.blogspot.com/2011/11/evading-content-security-policy-with.html
2. CAPTCHA Hax With TesserCap -- http://gursevkalra.blogspot.com/2011/11/captcha-hax-with-tessercap.html
The very first details of Skype IM (MAC OS X) - Is this the 0day ? - http://secniche.blogspot.com/2011/05/skype-im-mac-os-x-is-this-0day.html
Plugging myself here:
http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html
JSON CSRF with Parameter Padding http://gursevkalra.blogspot.com/2011/12/json-csrf-with-parameter-padding.html
Excel formula injection :)
http://dsecrg.blogspot.com/2011/12/excel-formula-injection-in-google-docs.html
Please check this out as well:
http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/
Chrome/ChromeOS sandbox side step via owning extensions and taking advantage of their permissions
https://media.blackhat.com/bh-us-11/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_WP.pdf
@Matt: #45
@utiputi4ka: #46
@Soroush: #47
Thank you for your research gentlemen, and good luck!
Hey Jeremiah,
Did you get a chance to look at my work on TesserCap?
@anonymous: normally I don't list "tools", but in your case I made an exception for its uniqueness. Never seen anything like that before and think it could prove useful to many people.
thank u Jeremiah.
Three semicolon vulnerabilities for XSS exploitation
https://superevr.com/blog/2011/three-semicolon-vulnerabilities/
@Jeremiah: could you please check this again:
http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/
OR
http://soroush.secproject.com/downloadable/Unrestricted_File_Download_V1.0.pdf
It was sent to you previously, but it is not on this list.
do we have votes this time around also?
Got a question for you. Please email me
ibeatz@gmx.com
@Anonymous: yes we will, I'm just way behind.
HashDOS is missing
@Erland: Thank you. I added it as #51 here: https://blog.whitehatsec.com/vote-now-top-ten-web-hacking-techniques-of-2011/
Are we doing the top 10 web hacking techniques for 2012 as well?
Post a Comment