tag:blogger.com,1999:blog-13756280.post8332858731042713675..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Top Ten Web Hacking Techniques of 2008 (Official)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-13756280.post-84374521374290271492009-02-25T21:07:00.000-08:002009-02-25T21:07:00.000-08:00@Rob, me too! So many great techniques. You know t...@Rob, me too! So many great techniques. You know there has got to be some sick combos one can do -- especially considering all the stuff from the last two years.<BR/><BR/><BR/>@Cheri, thank you, glad you liked it. It is good to have all this stuff in one spot.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9742824474088891182009-02-25T21:04:00.000-08:002009-02-25T21:04:00.000-08:00Thanks for sharing results, Jeremiah. Great resou...Thanks for sharing results, Jeremiah. Great resources in 1 place. I shared a link to here on Twitter too (smile). Hope your traffic surges; good stuff for professionals.<BR/><BR/>@CheriSigmonAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29210188838339448082009-02-25T15:32:00.000-08:002009-02-25T15:32:00.000-08:00This is an awesome top ten list Jeremiah, really i...This is an awesome top ten list Jeremiah, really interesting hacks. You can post this to our site http://www.toptentopten.com/ and then link back to your site. We are looking for content and in return our users will track back to your site. The coolest feature is you can let other people vote on the rankings of your list.Vincetastichttps://www.blogger.com/profile/09367800857300755203noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21358987385992195322009-02-25T10:44:00.000-08:002009-02-25T10:44:00.000-08:00@Jeremiah. Thanks for the kind words and update!Gl...@Jeremiah. Thanks for the kind words and update!<BR/><BR/>GlennAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60105751803826982872009-02-25T08:23:00.000-08:002009-02-25T08:23:00.000-08:00@Glenn, first great work on the research and congr...@Glenn, first great work on the research and congratulations on making the list! Made the corrections you specified, sorry for the delay.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16421772092281653632009-02-25T03:46:00.000-08:002009-02-25T03:46:00.000-08:00Hey Jeremiah. Excellent read, I'm glad our work im...Hey Jeremiah. Excellent read, I'm glad our work impressed the panel! As an aside, and completely vain attempt to get my name higher in Google rankings (who does that? ;) ) could you<BR/>s/Willinson/Wilkinson for the SensePost number 8 entry? Might also be more useful to link to www.sensepost.com/research/reDuh/ instead of the direct link to the tool, as there's some blarb to read there.<BR/><BR/>GlennAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-32496353051477691892009-02-25T03:11:00.000-08:002009-02-25T03:11:00.000-08:00Congrats to all.The gifar hack is really very inte...Congrats to all.<BR/><BR/>The gifar hack is really very interesting thinking. <BR/><BR/>My choice for the "chutzpah" award (if there was such a thing) is the CSS hack (number 7). It is very simple and effective.<BR/><BR/>South Africa has about 4 banks and I actually implemented number 7 in about half an hour, during a meeting that was very boring. <BR/><BR/>And it amazed people. (Actually shocked ... which is good for Security awareness)Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10026935263512152082009-02-24T14:48:00.000-08:002009-02-24T14:48:00.000-08:00thx everybody. there were a lot of great technique...thx everybody. there were a lot of great techniques this year. glad i wasn't a judge ;)Robhttps://www.blogger.com/profile/15811656706735141330noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72834417396804038992009-02-24T14:27:00.000-08:002009-02-24T14:27:00.000-08:00Congrats...Not sure I agree with the top 10, but t...Congrats...Not sure I agree with the top 10, but then putting a list together that security professional on agree is an excercise in futility.Erick Leehttps://www.blogger.com/profile/01636541584484802463noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14682091445844410722009-02-24T14:20:00.000-08:002009-02-24T14:20:00.000-08:00This comment has been removed by the author.Erick Leehttps://www.blogger.com/profile/01636541584484802463noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43851676511525852402009-02-24T14:02:00.000-08:002009-02-24T14:02:00.000-08:00congrats Nate and company! there were very interes...congrats Nate and company! there were very interesting submissions, although i must say im surprised by some of the appearances in the top 10 list.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-63500384113174384322009-02-24T11:41:00.000-08:002009-02-24T11:41:00.000-08:00Thanks MustLive!I agree, I think the best part of ...Thanks MustLive!<BR/><BR/>I agree, I think the best part of this is not some award, but the acknowledgement of some real interesting research all in one place.<BR/><BR/>-NateNate McFetershttps://www.blogger.com/profile/12918192846763867075noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40092763429872496262009-02-24T11:25:00.000-08:002009-02-24T11:25:00.000-08:00I congratulate the winners - the authors of GIFAR....I congratulate the winners - the authors of GIFAR. And all authors of top 10 web hacking techniques.<BR/><BR/>GIFAR is nice, but all top 10 techniques are nice. All web hacks of 2008 are interesting.MustLivehttps://www.blogger.com/profile/08538055923830905188noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5802766591583608952009-02-24T09:07:00.000-08:002009-02-24T09:07:00.000-08:00And ACSRF ? :)http://esl.epitech.eu/acsrfAnd ACSRF ? :)<BR/><A HREF="http://esl.epitech.eu/acsrf" REL="nofollow">http://esl.epitech.eu/acsrf</A>Vincenthttps://www.blogger.com/profile/04548384431204957895noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19204613224858970312009-02-24T01:41:00.000-08:002009-02-24T01:41:00.000-08:00Good to see some South Africans on the list. Kudos...Good to see some South Africans on the list. Kudos guys!Marinushttps://www.blogger.com/profile/13323174363583005241noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9536418811569466442009-02-23T15:00:00.000-08:002009-02-23T15:00:00.000-08:00Thanks for the congrats Kuza! Yeah, it's tough ec...Thanks for the congrats Kuza! Yeah, it's tough economic times though man, you never know... that ticket might come in handy.<BR/><BR/>Maybe we'll donate it to you though.... of course, you'd still have to get the flight covered.Nate McFetershttps://www.blogger.com/profile/12918192846763867075noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68327149778776740882009-02-23T14:43:00.000-08:002009-02-23T14:43:00.000-08:00Eh, I was planning to ignore this, since I always ...Eh, I was planning to ignore this, since I always disagree with these lists, but #2 just makes me bitter since they didn't even realise the full potential of it with Firefox/E4X (slides 26-27 here: http://powerofcommunity.net/poc2008/kuza55.pdf and since it seems they're hosting my old slides there, there are some slides with more details (slides 54-57) here: http://www.ruxcon.org.au/files/2008/Attacking_Rich_Internet_Applications.pdf)<BR/><BR/>P.S. Congrats Billy, Nate, Rob & John :) Though given your employers usually pay for blackhat tickets, I'm not really sure what the benefit there is ;pkuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74074407857210820642009-02-23T12:35:00.000-08:002009-02-23T12:35:00.000-08:00I agree with Gareth on that one... while I was gla...I agree with Gareth on that one... while I was glad to win the pwnie this year, I mentioned at the show the only reason Dowd lost out was cause he was a judge.<BR/><BR/>He easily could have won this, and def. should've been on the list.<BR/><BR/>To me, the only reason GIFAR was all that interesting was that it provided a way to compromise something more than just user data without a memory corruption.Nate McFetershttps://www.blogger.com/profile/12918192846763867075noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16187808850375389552009-02-23T12:27:00.000-08:002009-02-23T12:27:00.000-08:00And the real winner was....http://documents.iss.ne...And the real winner was....<BR/><BR/>http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdfAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56559496694988763192009-02-23T10:29:00.000-08:002009-02-23T10:29:00.000-08:00congratulations all, although I do not completely ...congratulations all, although I do not completely agree :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25665488812252000522009-02-23T09:10:00.000-08:002009-02-23T09:10:00.000-08:00I limited all the top ten links to one for cosmeti...I limited all the top ten links to one for cosmetic purposes. Had planned to add any useful additional reference links to the index as they come up.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39056863191683308332009-02-23T09:07:00.000-08:002009-02-23T09:07:00.000-08:00how come the activeX repurposing has 3 links at th...how come the activeX repurposing has 3 links at the bottom but only 1 at the top?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-32962318277218892162009-02-23T09:04:00.000-08:002009-02-23T09:04:00.000-08:00hahah, take a picture! Hackers playing Rock Band. ...hahah, take a picture! Hackers playing Rock Band. Will rock for BH ticket! :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17636690796329702922009-02-23T09:02:00.000-08:002009-02-23T09:02:00.000-08:00Thanks for the recognition!We'll have a Rock Band ...Thanks for the recognition!<BR/><BR/>We'll have a Rock Band 2 guitar competition to see who the ultimate winner of the BH ticket is.<BR/><BR/>-NateNate McFetershttps://www.blogger.com/profile/12918192846763867075noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66545271926235252612009-02-23T07:23:00.000-08:002009-02-23T07:23:00.000-08:00LOL. Do a mapping to source code solutions if you ...LOL. Do a mapping to source code solutions if you like. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.com